Blog: Consumer Advice
Training apps. Have their privacy settings improved in 5 years?
TL;DR
- Run and bike tracking apps still have a pretty poor approach to password security & default privacy settings
- From being one of the more secure apps 5 years ago, Strava has now been pushed to the back of this pack as others improved
- Amazingly, none of these apps support multi factor authentication
- Weak passwords e.g. ‘password’ are still allowed by Strava
- Strava’s users’ data settings are public, by default, whilst others increasingly default to privacy
The other apps we reviewed have shown some improvements, although they still pose some privacy and safety risks to users.
Introduction
5 years ago we looked at 5 run and bike tracking apps. Runtastic was a train wreck, as anyone could be tracked in real time, unauthenticated.
This time round it’s Strava that’s been found wanting.
Strava will counter that granular privacy controls are available to the user, but it’s the default that’s important here. Many users will simply accept the defaults and never change them. That’s evident from the high percentage of Strava users that have ‘open’ profiles where anyone can see users activity.
Privacy should be ‘on’ as the default. Users should then enable access to certain groups of friends, should they wish to
Finally, Strava, Runkeeper and MapMyRun allowed a password of ‘password’. This is simply not acceptable, particularly given the lack of 2FA.
To give an idea of the scale of this sector, and therefore the size of any problems, this is the take-up of just the 5 apps we’re reviewing:
- MapMyRun: 10M+ downloads on Play Store
- Nike Run Club: 10M+ downloads on Play Store
- Runkeeper: 10M+ downloads on Play Store
- Runtastic: 50M+ downloads on Play Store
- Strava: 10M+ downloads on Play Store
90M+ downloads ≈ 90M+ users.
Why revisit these applications?
Today, even more devices can be connected to these apps than 5 years ago, showing highly accurate information about users. In some cases running shoes can be connected via Bluetooth. While this information does not seem to be that harmful, it can indicate the equipment you are carrying with you, it shows when you start and finish your routine, how much do you run and who is running with you.
Password weakness still a big problem
One shocking issue was that these apps still allow users to use really weak passwords. Today, it is recommended to use a password that consists of 10 characters and it is a good practice to use a disallow-list for common passwords, like ‘123456 or ‘Password1’. Three of the applications accepted ‘password’ as a password, one of them accepted ‘Password1’ as a password, and only one of them set a common password disallow-list. This shows, that only Runtastic had set better password policy in 5 years.
Whilst users would ideally be encouraged to use a password manager, setting at least some password complexity requirements is a step in the right direction. This does not mitigate against password re-use, which is why two factor authentication would be very wise, yet appears to be completely overlooked by these app vendors.
Even better, check the users password against Troy Hunt’s breached password API at https://haveibeenpwned.com/
Privacy
Strava and Runkeeper are configured to publicly share user data by default. It is possible to change these settings in the application, but it takes some time to find them and set them correctly, which is probably not the first consideration for a regular user.
Nike Run Club, Runtastic and MapMyRun was found to have better privacy policy settings enabled, which means they do not share users’ data by default, like the other applications do. They only share your training information with friends or followers
One strange thing that was discovered during this research is that MapMyRun automatically sets sharing for ‘Everyone’ when the user wants to share the link of the training, even if it is sent to friends, or even if they decide not to share the link with anyone in the end. There is an alert that you accept to change sharing for ‘Everyone’, but if you decide not to share it in the end, the post still remains publicly available.
MapMyRun sets sharing for ‘Everyone’, when copying the sharing link.
How we conducted the review
The settings investigated this time were mostly the same as 5 years ago. As some applications changed in the meantime, we decided it would be relevant to spot the differences between the web application and the mobile application.
- Default privacy settings – How is user data protected by the app by default once downloaded. Is your data and/or activity open to others, or does the vendor make it private as standard? Did these settings change over the years?
- Easily tailored privacy settings – Is it easy and obvious to change the defaults and make your data more secure, or is it buried in layers of configuration? Is it easier to set our privacy settings today?
- Password strength – Does the app make you set a strong password, or is a password of ‘password’ possible? If weak passwords are allowed, it’s almost as bad as publishing everything about you on the public Internet!
- Predictable session number (iterative/sequential)? – Do the applications still use sequential session numbers? Can this data be obtained by unauthorised users?
- Can Google index your runs? – Did the developers set proper measure against spidering and crawling of the training sessions? What can we extract from Google searches?
- EXIF data on uploaded images? – People still upload photos of their trainings. Can we extract data from these (e.g. location, author, device)? Can we access user photos unauthorised?
- Live tracking capability? – Do these apps ensure live tracking? Can this live tracking function be used to stalk people? What are the default settings for live tracking?
- Differences between web application and mobile application settings – Are there more privacy settings in the web application than in the mobile version? How does this affect the users?
Detailed findings
Default privacy settings
MapMyRun
Private: Profile, route and workout sharing is set to ‘Friends’ by default.
It is an improvement from last time when it was set to fully public.
Privacy settings can be edited via Profile / Settings / Privacy.
There is a Privacy Policy Center in the application and the user must accept this during registration,
The settings are not shown during the registration and the user is not notified about with whom is the data shared.
If you want to share the link to your run on the app, you must set the Privacy to ‘Everyone’ even if you just want to share it with friends.
Nike Run Club
Private: Maps and profile are only visible to ‘Friends’ by default.
This is the same settings as it was used at the last time.
Privacy setting can be edited via Profile / Settings / Profile visibility
There is a Privacy Policy Center in the application and the user must accept this during registration.
The settings are not shown during the registration and the user is not notified about with whom is the data shared.
Runkeeper
Partially Public: Maps only visible to ‘Friends’ by default, but activities are shown to ‘Everyone’.
Last time, these settings were set to fully private.
Only a photo is taken that can be shared. Last time, the full activity could be shared on social platforms.
Privacy setting can be edited via Me / Settings / Privacy.
The settings are not shown during the registration and the user is not notified about with whom is the data share
Strava
Fully Public: Maps visible to ‘Everyone’ by default.
These setting have not changed since last time.
Privacy setting can be edited via Profile / Settings / Privacy Controls.
The settings are not shown during the registration and the user is not notified about with whom is the data shared
Easily tailored privacy settings?
All the apps had this functionality. Oddly it’s the one aspect that Strava does best in as there is the ability to set privacy zones to hide your home/work address.
Password strength
MapMyRun
Allowed password of ‘password’.
No requirement was set for the password.
This is the same password as used 5 years ago for the check.
Nike Run Club
Allowed password of ‘Password1’.
Requirement was to choose a password, min 8 characters long, containing at least 1 lowercase, uppercase and number character.
This is the same password as used 5 years ago for the check
Runkeeper
Allowed password of ‘password’.
Only requirement was to choose a password, which is at least 8 characters long.
This is the same password as used 5 years ago for the check.
Runtastic
The app set a disallow-list and it was not possible to set ‘Password1’ as the password, even though it met the requirements.
Requirement was to choose a password, min 8 characters long, containing at least 1 lowercase,
Strava
Allowed password of ‘password’.
No requirement was set for the password.
This is the same. There has been no significant change since the last review 5 years ago
Predictable session number (iterative/sequential)?
None of the apps had this issue
Can Google index your runs?
Most of the apps have fixed this issue, with Nike Run Club and Runtastic allowing only a photo to be found.
Strava still allows them to be public https://www.google.co.uk/search?q=site:www.strava.com/activities/
EXIF data on uploaded images?
No apps leaked sensitive information in images, although Nike Club Run and Runtastic are the only ones to prevent images being viewed unauthenticated.
Live tracking capability?
MapMyRun
Only on the paid version. You have to manually enable live tracking and only friends can view it.
This did not change from 5 years ago
Nike Run Club
Application doesn’t currently support live tracking, just the ability to share a picture of the training.
This did not change from 5 years ago
Runkeeper
It is only possible with the paid version. Maps can only be viewed by Friends by default.
It was included in the free version before with the same settings.
Runtastic
By default, live tracking is not enabled and when the user enables it, the GPS status will be shown to Followers.
Last time live tracking was enabled by default.
Strava
Application doesn’t currently support live tracking.
This did not change from 5 years ago
Web application and mobile application settings
MapMyRun
The account cannot be deleted in the mobile application; however, it is possible to delete it in the web application.
The application does not ensure users have a password change option in the mobile application, just in the web application and through the forget password option.
The web application provides the same privacy options as the mobile app.
Nike Run Club
The account cannot be deleted in the mobile application; however, it is possible to delete it in the web application.
The application does not ensure users have a password change option in the mobile application, just in the web application and through the forget password option.
In the web application, the usage of the workout data is set by default, while there is no option to change this in the mobile app.
Runkeeper
The account cannot be deleted in the mobile application; however, it is possible to delete it in the web application.
The application does not ensure users have a password change option in the mobile application, just in the web application and through the forget password option.
There are more privacy options available on the website than in the mobile application.
Runtastic
The account cannot be deleted in the mobile application; however, it is possible to delete it in the web application.
The application does not ensure users have a password change option in the mobile application, just in the web application and through the forget password option
Strava
The account can be deleted in the mobile and in the web application as well.
The mobile application and the web application both provide an option to change password.
The web application provides the same privacy options as the mobile app.
Conclusion
Oversharing – It’s safe to say that users oversharing their data is good for the tracking app brands. Brand managers rejoice as more sharing creates more awareness. The fact that it leads to privacy and safety issues for their users appears to be broadly ignored.
Users appear unaware that they overshare data. That is the biggest concern we have. Routes, live tracking, photos, and full real names make it easy for someone unknown and untrusted to find you.
Also, when users share data about the equipment they’re using it makes them more attractive to burglars and thieves.
Even though privacy settings have generally improved, users seem uninformed about the effects of oversharing, and unaware of the privacy settings that are available.
5 years on and app developers are still neglecting to implement strong password policies. This is in the face of being told, regularly by the security community that this is unacceptable. Password stuffing attacks are the result of this failure. It’s the users who suffer directly, but reputational damage to the company often follows
Recommendations
Users
- Check if any of your accounts have been compromised.
- Create and use a complex password.
- Better still, do that with a password manger.
- Think about whether your username should be your real name.
- We all want to share our activities, but share only with trusted people
- Familiarise yourself with the privacy settings. Enable only what you want to share.
Developers
- Your work can have a positive impact on people’s safety and privacy.
- Make it hard for attackers to operate.
- Enforce strong passwords and recommend password managers
- Implement 2FA or MFA authentication at login.
- Don’t make session IDs that can be crawled and indexed by search engines.
- Give users the option to easily delete and setup accounts, in case they are compromised.
- Make password changing easy, and enforce strong passwords. This is always worth repeating.
Vendors
It’s not all about functionally, great UX, and ease of setup. Security and user data privacy need to be part of the mix.