Fitness apps like Strava leaked sensitive information about users’ locations even when they used in-app features to specifically set up privacy zones to hide their activity in certain areas, researchers have found.
Two PhD students from KU Leuven in Belgium have found that if a person starts their activity from home, an attacker with limited skills can use high-precision API metadata exposed in the app to determine their home location, even if you set it what is called an “endpoint privacy zone” (EPZ) for this area.
Also, despite contacting app companies that leak this data, the problem is still largely unsolved, said researchers Karel Dondt and Victor Le Pochat. They plan to present their findings at Black Hat Asia in a session called “A Jog a Day Won’t Keep a Hacker Away: Inference Attacks on Endpoint Privacy Zones in Social Fitness Tracking Networks.” Dhondt and Pochat previously presented the work and accompanying paper at the ACM Computer and Communications Security (CCS) 2022 conference last November.
People use fitness apps like Strava to track and share data about their fitness activity – like running, cycling or walking. From within the app, they can set and achieve fitness goals, and compete or train virtually with friends, among other apps.
However, this data, if it falls into the wrong hands, can be used against them to find out where they live or where they frequent their fitness activities, leading to potential physical harm. In 2017, this scenario came to light when researchers revealed that Strava was sharing secret locations of military bases when active duty personnel shared their fitness activity with the app, potentially exposing them and their military activity to enemies and putting them at physical risk .
When app privacy is not private
In response to this revelation, Strava and other fitness apps added privacy features – called EPZs in Strava, but which have other names in other apps. They allow users to hide parts of their route around sensitive locations, such as their homes or offices, and track activity only after they leave those designated areas.
Specifically, an EPZ in Strava is a circular area that someone can configure to hide traces of activity that occurs within it. Other apps included in the study that have similar features include Garmin Connect, Relive, Komoot, Map My Tracks and Ride With GPS.
Dont and Le Pochat – a cyclist and a runner respectively – are fitness app enthusiasts themselves and undertook their investigation out of personal interest. They knew that, in theory, EPZs within Strava should protect the location data of these sensitive locations from being revealed to users of the app or anyone else viewing their activity data.
But that’s not really the case, they found. The researchers successfully engineered a cyberattack using distance information leaked in activity metadata, street network data, and EPZ entry point locations, they found in their research. These results allowed them to use regression analysis to predict users’ secure locations, even when they created privacy zones to hide them.
“In the metadata is the distance value of the entire track—including the parts that are supposed to be hidden in the privacy zone,” Dondt explains in an interview with Dark Reading. “The distance traveled inside the privacy zone has expired.”
Using this metadata combined with maps of the local area, researchers could make predictions about where other users ended or started their activities, therefore where they live or work, he says.
Also, the attack itself is unsophisticated, meaning anyone with a simple developer tool that can examine API data from web server communications could see the leaked data, the researchers said.
“It’s not like they’re faking API calls or changing the way they communicate with Strava,” Dondt says. “When Strava maps the location where the person ran or cycled, the high-precision API data is already there. You can use a developer tool and easily inspect network traffic. Data is just a keystroke away.”
Designing the attack
The researchers conducted their research using data from users around the world and experimented to see if their attack worked in both sparsely populated and densely populated areas. It turns out that it does, but of course it’s much easier to pinpoint locations in areas where there are only a few houses or other buildings, the researchers say.
Moreover, creating a larger EPZ reduced attack performance and success rate, while geographically dispersed activities in sparser street networks lead to better attack performance. “In rural or sparsely populated areas, if you have a privacy zone of 200 meters with only a few houses in the zone, it’s easier to determine the location,” says Dondt.
In terms of the data collected and examined, the researchers conducted a random, large-scale data collection of 4,000 users and 1.4 million Strava activities in various locations around the world over a period of one month. Their Strava results found that the attack discovered the protected location for up to 85% of EPZs, thereby protecting only 15% of the users who create these zones.
Mitigation and (lack of) response
The researchers responsibly disclosed their findings to all the companies whose applications they studied, as well as suggesting a number of ways in which the problems could be solved. So far, however, only Strava has responded to the researchers, other than thanking them for the disclosure, and both are in ongoing discussions with the fitness app provider about potential mitigation measures.
Still, companies don’t seem particularly interested in implementing mitigation measures, citing a reduced user experience if the proposed fixes are implemented, the researchers said.
“They were reluctant to implement any of our recommendations because they felt it would negatively impact the utility for their users,” says Dondt. However, while this may be true for some of the proposed fixes, it is not true for all of them, he says.
One mitigation, for example, requires applications to minimize the accuracy of data exposed in APIs used in network communications. In Strava, data in the user interface for distance traveled is rounded down to 10-meter accuracy, and distance traveled in the privacy zone is displayed rounded down to 100-meter accuracy. However, both distances are provided in the API with an accuracy of 0.1 meters, says Le Pochat.
Therefore, “the lower the accuracy of the reported distances in the API, the lower the success rate [of the attack] would be,” says Dondt.
The researchers also suggest that the apps could help users choose the size of their privacy zone, given the area they live in and whether it’s densely populated or not, which would be a relatively easy decision, they say. They also suggest using non-round, less typical shapes to create the area to make it harder to determine the location, which the Kommut app already does.
To be fair, though, some of the proposed mitigations do take away from the app’s user experience, the researchers admit. Among them are suggestions to shift the distance slightly by taking it from the start and adding it to the end, and another to cut off the start and finish in the privacy zone from the distance measured in the app so no one can track where it is a given user was during their route.
“People use these apps to track their performance, so they might not like it,” says Dondt. “They take away some of the fun and appeal of these apps.”
Overall, the researchers say, Strava and other fitness app providers need to balance the usability and functionality of those apps and decide which is more important.
“It’s a difficult decision whether to prioritize privacy, which reduces the amount of data and reduces functionality, or prioritize the functionality of the app,” says Le Pochat. “Sometimes you have to compromise and give up privacy to get functionality.”