Application Security

1/29/2018
10:33 AM
50%
50%

Strava Fitness App Shares Secret Army Base Locations

The exercise tracker published a data visualization map containing exercise routes shared by soldiers on active duty.

In November 2017, the Strava fitness tracking app published a visualization map to show where users exercise across the world. However, that map also revealed location information about military bases and spy posts around the world, military analysts report.

The company lets users record running, walking, or biking activity on their smartphones or wearables, and upload it to the Internet. Military analysts noticed the map - which was constructed using more than three trillion individual GPS data points - has enough detail to give away potentially sensitive data on where soldiers on active duty are located. Users in locations like Afghanistan and Syria seem to exclusively be military personnel, they say.

"If soldiers use the app like normal people do, by turning it on and tracking when they go to do exercise, it could be especially dangerous," says Nathan Ruser, analyst with the Institute for United Conflict Analysts. On Strava's map, the Helmand province of Afghanistan shows the layout of operating bases via exercise routes. The base is absent from satellite views on both Google Maps and Apple Maps.

These findings arrive the day after Data Privacy Day, which was created to encourage both individuals and businesses to respect user privacy and protect data. Strava's decision to publish sensitive location data is part of a growing discussion around how companies should handle the massive amount of information they collect on users.

Read more details here.

Dark Reading's Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
2/1/2018 | 12:00:57 PM
Re: Sharing data
@Dr.T: More to the point, I've also found that, for people who engage and share practically nil online, it's much easier to find information out about them online because all that's left on Google are the data harvesters and data sellers -- particularly because the people who don't engage online tend to do a poor job of protecting their privacy beyond the mentality of "Well, I'm maintaining my privacy as long as I'm no on Facebook" (as if privacy and Facebook were correlated in such a binary fashion).
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
1/31/2018 | 8:04:54 AM
Re: Sharing data
@Dr.T: There are more checks and balances on gathering data on citizens directly rather than purchasing it from companies. (See, e.g., that URL from the other comment.)
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
1/30/2018 | 7:45:36 PM
Re: Sharing data
I work to consciously control the flow of information to mitigate things. I do the same, if I feel it is not suppose to be shared with anyone that information does not end up in the internet for me.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
1/30/2018 | 7:44:01 PM
Re: Sharing data
I've accepted that various information about me is going to be readily accessible online -- particularly because of the nature of my work. That is true, it is the same for many of us, we can share willingly since it is not sensitive data.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
1/30/2018 | 7:42:17 PM
Re: Sharing data
Uphill battle, though, given a population addicted to always online, sharing and comparing. This is a good point. Sharing and comparing is ok but if for sensitive location then we end up with these problems.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
1/30/2018 | 7:39:31 PM
Re: Sharing data
Realistically, they're either making it public, or they're selling it directly to government agencies. Interesting idea. Would government agencies not have the data already?
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
1/30/2018 | 7:38:04 PM
Army location
One thing I am sure everybody knows where the army stations are and where the soldiers practice. You do not need tracking app for that.
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
1/30/2018 | 1:52:06 PM
Re: Sharing data
@Brian: For my own part, I've accepted that various information about me is going to be readily accessible online -- particularly because of the nature of my work.

That said, via my writing, my social presences (which I manage by assuming anyone or just about anyone can read what I put -- regardless of my restrictions), etc., I work to consciously control the flow of information to mitigate things.
BrianN060
50%
50%
BrianN060,
User Rank: Ninja
1/30/2018 | 12:49:09 PM
Re: Sharing data
@JoeS: "...realistically the best solution is to do what you can to share little with companies to begin with."  That sound advice, worded many different ways, can be found in every security-centric site.  Uphill battle, though, given a population addicted to always online, sharing and comparing. 
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
1/29/2018 | 11:16:54 PM
Sharing data
Realistically, they're either making it public, or they're selling it directly to government agencies. ( See, e.g., this from recent headlines about license-plate location data: theverge.com/2018/1/26/16932350/ice-immigration-customs-license-plate-recognition-contract-vigilant-solutions ).

We'll see how things change with GDPR, but realistically the best solution is to do what you can to share little with companies to begin with.
Want Your Daughter to Succeed in Cyber? Call Her John
John De Santis, CEO, HyTrust,  5/16/2018
Don't Roll the Dice When Prioritizing Vulnerability Fixes
Ericka Chickowski, Contributing Writer, Dark Reading,  5/15/2018
Why Enterprises Can't Ignore Third-Party IoT-Related Risks
Charlie Miller, Senior Vice President, The Santa Fe Group,  5/14/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: "Security through obscurity"
Current Issue
How to Cope with the IT Security Skills Shortage
Most enterprises don't have all the in-house skills they need to meet the rising threat from online attackers. Here are some tips on ways to beat the shortage.
Flash Poll
[Strategic Security Report] Navigating the Threat Intelligence Maze
[Strategic Security Report] Navigating the Threat Intelligence Maze
Most enterprises are using threat intel services, but many are still figuring out how to use the data they're collecting. In this Dark Reading survey we give you a look at what they're doing today - and where they hope to go.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-11232
PUBLISHED: 2018-05-18
The etm_setup_aux function in drivers/hwtracing/coresight/coresight-etm-perf.c in the Linux kernel before 4.10.2 allows attackers to cause a denial of service (panic) because a parameter is incorrectly used as a local variable.
CVE-2017-15855
PUBLISHED: 2018-05-17
In Qualcomm Android for MSM, Firefox OS for MSM, and QRD Android with all Android releases from CAF using the Linux kernel, the camera application triggers "user-memory-access" issue as the Camera CPP module Linux driver directly accesses the application provided buffer, which resides in u...
CVE-2018-3567
PUBLISHED: 2018-05-17
In Qualcomm Android for MSM, Firefox OS for MSM, and QRD Android with all Android releases from CAF using the Linux kernel, a buffer overflow vulnerability exists in WLAN while processing the HTT_T2H_MSG_TYPE_PEER_MAP or HTT_T2H_MSG_TYPE_PEER_UNMAP messages.
CVE-2018-3568
PUBLISHED: 2018-05-17
In Qualcomm Android for MSM, Firefox OS for MSM, and QRD Android with all Android releases from CAF using the Linux kernel, in __wlan_hdd_cfg80211_vendor_scan(), a buffer overwrite can potentially occur.
CVE-2018-5827
PUBLISHED: 2018-05-17
In Qualcomm Android for MSM, Firefox OS for MSM, and QRD Android with all Android releases from CAF using the Linux kernel, a buffer overflow vulnerability exists in WLAN while processing an extscan hotlist event.