A run a day won’t keep the hacker away: privacy in sports apps often subpar

The circle shows the ’privacy zone’ that a sportsperson can designat
The circle shows the ’privacy zone’ that a sportsperson can designate. But this is on a street map, which shows where the sportsperson enters that zone. Combine that with the fact that you also know how much distance the sportsperson has covered, for multiple running activities (orange, green and blue), and you can easily arrive at 1 concrete point where the sportsperson probably lives or works.

Sports and fitness apps, such as Strava, are gaining in popularity year after year. They have also often become true social networks. You share some very personal data there, and sometimes unknowingly your home or work location as the starting point for your sports activities too. Apps usually allow you to hide those locations, but researchers from the imec-DistriNet research group at KU Leuven discovered that, in many cases, this option gives a false sense of security. The findings were presented today at the leading ACM Conference on Computer and Communications Security (CCS) in Los Angeles , and Strava has already invited the researchers to review their conclusions together.

The popular sports app Strava had more than 100 million users in 195 countries at the end of May 2022. Runtastic from Adidas has as many as 182 million registered users. These are just two examples of the popularity of social networking around sports. Every day, millions of sports activities around the world are shared with friends and other app users - a virtual supporter community. But the activities you share also say a lot about you. Very often, you can discover patterns in them: fixed places and times when you exercise, fixed routes, fixed points of departure and arrival. And precisely the latter are also often residences or workplaces.

A false sense of security

To avoid simply releasing that data, social networks such as Strava often work with endpoint privacy zones: they allow you to hide zones around privacy-sensitive locations, in a circle around that spot that you choose the size of. But that approach creates a false sense of security, as researchers from the imec-DistriNet group at KU Leuven showed.

"In the overview of your protected activity, there is still so much data about, for example, the distance covered and route taken that, in combination with a street map, still reveals your point of departure or arrival," says researcher Karel Dhondt.

The researchers developed an inference attack, as these are known, and applied it to anonymised activities shared on sports apps. "For example, among the 1.4 million Strava activities we analysed, we were able to uncover up to 85 percent of the hidden locations anyway, based purely on the additional data that was publicly available," says researcher Victor Le Pochat of the imec-DistriNet research group.

Many users do realise the risk involved in sharing activities on these apps. In the past, for example, there were reports of how soldiers unknowingly revealed the location of secret military sites by sharing their running laps. Or reports of athletes whose expensive bikes were stolen after thieves were lurking on Strava. But equally, the new options for protecting your location data are not foolproof.

Solutions

The researchers have delivered their findings to the respective platforms, and are sitting together with Strava to discuss their suggestions for improvements. The apps could better hide the information about the distance you cover within the hidden zone from outsiders, or even omit it altogether. The latter intervention, however, will have a severe impact on users, since the activity is then no longer fully recorded. They could also vary the shape and size of the areas that are hidden (now mostly circles) more.

"Users can better protect their privacy on sports apps too. Setting a privacy zone is still a good idea anyway, but make the zone around places you want to keep hidden large enough. It is often a minimum of 200 metres, but you can increase the zone to more than a kilometre. The bigger, the better," stresses researcher Karel Dhondt. In addition, varying your start and finish locations more is another effective strategy.

Priva

The researchers also built an online application, which they christened Priva , that uses their insights to better secure your sports activities. You choose a location there that you want to secure and the application chooses the best size of area to be made invisible for you.