A team of journalists from de Correspondent in the Netherlands has discovered that certain fitness apps can be used to track down names and home addresses of their users. The security flaw was first brought to the attention of the team by Foeke Postma (a volunteer with the Bellingcat open source intelligence collective), who was concerned by the potential for exploitation.
Astonishingly, this information was freely available, and could even be used to locate the names and home addresses of people working at sensitive locations. Obviously no-one likes to broadcast their home address to strangers, but some people have a higher interest than most in keeping their location secret - for example, those working for the military, or in government agencies.
The app primarily used in the research was Polar, but the team was also able to retrieve sensitive information about users using Strava, Edmondo, and Runkeeper.
The team was able to locate home addresses of military personnel working at overseas and domestic military bases, people working at Guantánamo Bay, and even those working for secret services.
Source: de Correspondent
When the team realised how easy it had been to find this information, the potential for exploit frightened them. "The moment we find Tom’s and John’s home addresses, we realize we’re dealing with information that can endanger people’s lives. What if IS fighters or sympathizers went looking, intent on revenge? What if hackers collected this information and sold it to the highest bidder? It would be just as easy for them to find as it has been for us."
Polar even showed data for locations that have been obscured in Google Maps for security purposes, as shown in the image below.
Source: de Correspondent
Fitness app Strava was criticised earlier this year for how easy it was to access sensitive information using their app, and took steps to prevent unauthorised access as a result. However, according to the team at de Correspondent not enough has been done to prevent abuse, as they were still able to track down individuals' names and addresses.
The developers behind Polar have now been contacted and the vulnerability has, thankfully, been closed. However the fact that this information was publicly available in the first place should motivate users to take great care when using location-tracking apps. Vulnerable individuals, such as those working at sensitive locations, are advised to avoid using these types of apps all together.