Fitness apps such as Strava leak sensitive location information of users, even when they've used in-app features to specifically set up privacy zones to hide their activity within specified areas, researchers have found.
Two PhD students from KU Leuven in Belgium have discovered that if a person is starting his or her activity from home, an attacker with limited skills can use high-precision API metadata revealed in the app to pinpoint their home location, even if they've set up what's called an "endpoint privacy zone" (EPZ) for that area.
Moreover, despite contacting the companies with apps leaking this data, the problem is still largely unsolved, the researchers, Karel Dhondt and Victor Le Pochat, said. They plan to present their findings at Black Hat Asia in a session called "A Run a Day Won't Keep the Hacker Away: Inference Attacks on Endpoint Privacy Zones in Fitness Tracking Social Networks." Dhondt and Pochat previously presented the work and its accompanying paper at the ACM Conference on Computer and Communications Security (CCS) 2022 last November.
People use fitness apps like Strava to keep track of and share data about their fitness activity — such as running, cycling, or walking. From within the app, they can set and reach fitness goals, as well as compete or fitness train virtually with friends, among other uses.
However, this data, if it falls into the wrong hands, can be used against them to locate where they live or where they frequently conduct their fitness activity, leading to potential physical harm. In 2017, this scenario came to light when researchers revealed that Strava shared secret Army base locations when personnel on active duty shared their fitness activity to the app, potentially exposing them and their military activity to enemies and putting them at physical risk.
When App Privacy Isn't Private
In response to this revelation, Strava and other fitness apps added privacy features — called EPZs in Strava, but which has other names in other apps. These allow users to hide portions of their route around sensitive locations, such as their homes or offices, and only track activity once they've left those defined areas.
Specifically, EPZ in Strava is a circular area that someone can configure to hide traces of activity that occur within it. Other apps covered in the research that have similar features include Garmin Connect, Relive, Komoot, Map My Tracks, and Ride With GPS.
Dhondt and Le Pochat—a cyclist and a runner, respectively—are fitness-app enthusiasts themselves and embarked on their investigation out of their own personal interest. They knew that in theory, EPZs within Strava should protect location data about these sensitive locations from being revealed to app users, or anyone else viewing their activity data.
But that's actually not the case, they found. The researchers successfully constructed a cyberattack using distance information leaked in activity metadata, street grid data, and the locations of the entry points into the EPZ, they revealed in their research. These results allowed them to use regression analysis to predict protected locations of users even when they had set up privacy zones to hide them.
"In the metadata there is the distance value of the entire track — including the parts that are supposed to be hidden inside the privacy zone," Dhondt explains in an interview with Dark Reading. "The distance that has been covered inside the privacy zone has been leaked."
Using this metadata combined with maps of the local area, the researchers could make predictions about where other users ended or started their activity, thus where they live or work, he says.
Moreover, the attack itself is unsophisticated, meaning that anyone with a simple developer tool that can examine API data from Web server communications can view the leaked data, the researchers say.
"It's not like they have to forge API calls or alter ways they communicate with Strava," Dhondt says. "Whenever Strava draws the map of wherever the person went running or cycling, the high-precision API data is already there. You can use a developer tool and easily inspect network traffic. The data is just one keystroke away."
Devising the Attack
Researchers conducted their research using data from users worldwide and experimented to see if their attack worked in both sparsely populated or densely populated areas. It turns out that it does, but of course it's much easier to pinpoint locations in areas where there are only a few houses or other buildings, the researchers say.
Moreover, setting up a larger EPZ reduced the attack performance and success rate, while geographically dispersed activities in sparser street grids yield better attack performance. "In rural or sparse areas, if you have a privacy zone of 200 meters with only a couple of houses in the zone, it's easier to pinpoint location," Dhondt says.
In terms of the data collected and examined, the researchers conducted random, large-scale data scraping of 4,000 users and 1.4 million Strava activities in various worldwide locations over a month-long period. Their results for Strava found that the attack discovers the protected location for up to 85% of EPZs, thus only protecting 15% of users who set up these zones.
Mitigation & (Lack of) Response
The researchers responsibly disclosed their findings to all of the companies whose apps they investigated, as well as offered a number of ways that issues can be resolved. However, so far, only Strava has responded to researchers beyond thanking them for the disclosure, and the two are in ongoing discussions with the fitness app provider for potential mitigations.
Still, the companies don't seem particularly interested in applying mitigations, citing diminished user experience if the proposed fixes were applied, the researchers said.
"They were reluctant to apply any of our recommendations because they felt like it would negatively impact the utility for their users," Dhondt says. However, while this may be true of the some of the proposed fixes, it's not true of all of them, he says.
One mitigation, for instance, calls for the apps to minimize the accuracy of the data revealed in APIs used in network communications. In Strava, the data in the user interface about the distance traveled is rounded down with 10-meter accuracy, and the distance traveled within the privacy zone is shown rounded down with 100-meter accuracy. However, both distances are provided in the API with 0.1 meter accuracy, Le Pochat says.
Therefore, "the lower the accuracy of the reported distances in the API, the lower the success rate [of the attack] would be," Dhondt says.
The researchers also suggest that the apps could help the users choose the size of their privacy zone given the area in which they live and whether it's densely populated or not, which would be a relatively easy fix to do, they say. They also suggest using non-circular, less-typical shapes to create the zone to make it more difficult to pinpoint the location, which the Kommut app already does.
To be fair, though, some of the suggested mitigations do take away from the user experience of the app, the researchers acknowledge. Among these are suggestions to shift the distance slightly by taking it from the start and adding it to the end, and another to cut off the start and finish in the privacy zone from the distance measured in the app so no one could track where a user had been during their route.
"People use these apps to track their performances, so they might not like that," Dhondt says. "They take away from some of the fun and attraction of these apps."
Overall, the researchers say, Strava and other fitness-app providers have to balance the usability and functionality of these apps and decide what's more important.
"It's a difficult decision whether you prioritize privacy, which reduces the amount of data and reduces the functionality, or prioritize the functionality of the app," Le Pochat says. "Sometimes you have to make tradeoffs and give away privacy to gain functionality."