Blog: Android
Who is tracking your run? Run and bike activity tracking app privacy issues investigated
Co-written with James Mace.
Plenty of security vulnerabilities have been found in fitness tracking devices, but we wanted to have a look at the mobile apps that are used for run and bike tracking. Strap your phone to your arm and go out for a run or bike or horse ride. The results were quite shocking.
We found that most of the popular apps we looked at paid scant regard to users security. Default settings encouraged users to over-share personal data. One app had a security flaw that allow private runs to be viewed in real time, so the victim could be tracked.
We looked at this because with these tracking we’re not talking about the risk to a device, or to personal information being harvested, or passwords being stolen. We’re talking about genuine risk to personal safety if that information got into the wrong hands.
Real-time stalking anyone?
Briefly, Nike+ was good. Strava was OK, MapMyRun and RunKeeper were below par and RunTastic had a scary security flaw (now fixed).
What’s at risk?
YOU ARE.
If it’s trivial for anyone to access app data via the website mothership, to target a person and identify exactly where they are (or are going to be) then we have a serious problem on our hands. Of course the availability of that information depends on how a user has configured their app, but as we know many people don’t change default settings. We also know that manufacturers often fail at flagging the importance of changing these settings, and sometimes they don’t provide them at all.
The apps use your phone’s GPS and accelerometers. The information provided is common across all tracking apps. Location, distance, speed, time and elevation are all logged.
Here’s one of us out for a run. During the run, one could watch the runner moving in real time:
In isolation this is fairly harmless information. Athletes have been monitoring this stuff for years, latterly with sports watches. The difference with today is that the information stayed in the watch, it wasn’t sent wirelessly or recorded automatically elsewhere as it is now.
Apps under scrutiny
Bearing all that in mind we thought a security review of the main apps was long overdue. We looked at some of the most popular iOS, Android, Windows Phone, and BlackBerry apps and compared their features and associated security risks. The chosen apps were:
- MapMyRun
- Nike+
- Runkeeper
- Runtastic
- Strava
We limited our investigations to the information sent to and from our phone apps as a regular user. We didn’t reverse engineer the apps or analyse anything server-side.
High level issues
The biggest and most worrying flaw we found was in Runtastic. We discovered that even with its privacy settings enabled and correctly configured it still allowed the tracking of users in real-time. Thankfully that has since been fixed.
MapMyRun, RunKeeper and Runtastic are all guilty of not explicitly encouraging users to protect their data by configuring privacy settings. Yes, the settings are available, but they are not properly signposted, nor are they enabled by default.
Strava was a better – whilst their default settings led to over-sharing, they emailed the user the following day with privacy advice.
The only app to run with default privacy settings enabled was Nike+. This means that if you have MapMyRun, RunKeeper, Runtastic or Strava the onus is on you to set it up. Not an ideal scenario by any means.
Let’s look at the apps…
With each of the five apps we reviewed these eight criteria:
1. Default privacy settings
How is user data protected by the app by default once downloaded. Is your data and/or activity open to others, or does the vendor make it private as standard?
2. Easily tailored privacy settings?
Is it easy and obvious to change the defaults and make your data more secure, or is it buried in layers of configuration.
3. Is your data transmitted securely (SSL)
Is the data sent between the app and website encrypted?
4. Password strength
Does the app make you set a strong password, or is a password of ‘password’ possible? If weak passwords are allowed, it’s almost as bad as publishing everything about you on the public internet!
5. Predictable Session number (iterative/sequential)?
This looks at the website URLs to see if your activity sessions share similar numbers e.g.
run #1 has website.com/session/123,
run #2 has website.com/session/124,
run #3 has website.com/session/125 etc.
…using sequential sessions isn’t a great idea, as it makes guessing URLs incredibly easy.
6. Can Google Index your runs?
Are the website’s session URLs left open to search engine spiders, making them easier to find? This makes your personal data easier to find on the public internet.
7. EXIF data on uploaded images?
People upload photos of themselves and their runs. EXIF data in images gives unique identifying factors, sometimes including the GPS coordinates where they were taken and more.
8. Live Tracking Capability?
With nothing more than a little knowledge of the app, can the victim/user be followed in real-time?
Findings
Default privacy settings comments | MapMyRun
Fully Public: Maps are visible to everyone by default. Can edit privacy settings via a tiny drop down box on activity feed. No messages/prompts to raise user awareness to risks surrounding sharing personal data. |
Nike+
Private: Maps only visible to ‘friends’ by default. Link to privacy policy on main sign-up (in the small text at the bottom) form but no personal data awareness given. No messages/prompts to raise user awareness to risks surrounding sharing personal data. |
Runkeeper
Private: Maps only visible to ‘friends’ by default. Though defaults to sharing to social platforms including Facebook and Twitter. When workout is complete, users have to use slider to indicate which platform they would like to share to. Link to privacy policy on main sign-up form but no personal data awareness given. No messages/prompts to raise user awareness to risks surrounding sharing personal data. |
Runtastic
Private: Maps only visible to ‘friends’ by default. Can see notes and pictures unauthenticated though. – See Live track for vulnerability. No messages/prompts to raise user awareness to risks surrounding sharing personal data. |
Strava
Fully Public: Maps visible to ‘everyone’ by default. Have to select checkbox to restrict sharing of workout to private only. Requires this user interaction. No messages/prompts to raise user awareness to risks surrounding sharing personal data. |
Easily tailored privacy settings? | MapMyRun
No |
Nike+
Yes |
Runkeeper
No |
Runtastic
No |
Strava
Yes – added extra with ability to set privacy zones to hide your home/work address |
Is your data transmitted securely (SSL) | MapMyRun
Yes |
Nike+
Yes |
Runkeeper
Yes |
Runtastic
Yes |
Strava
Yes |
Password strength | MapMyRun
Allowed password of ‘password’ |
Nike+
Allowed password of ‘Password1’ – states password requirements |
Runkeeper
Allowed password of ‘password’ |
Runtastic
Allowed password of ‘password’ |
Strava
Allowed password of ‘password’ |
Predictable Session number (iterative/sequential)? | MapMyRun
Yes |
Nike+
No |
Runkeeper
Yes |
Runtastic
Yes |
Strava
Yes |
Can Google Index your runs? | MapMyRun
Yes: Example |
Nike+
Yes – if workout is shared to social media platforms – requires user to select this – not default. |
Runkeeper
Yes – if map is made visible to everyone – requires user to select this. |
Runtastic
Yes: Example |
Strava
Yes: Example |
EXIF Data on uploaded images? | MapMyRun
No sensitive information leaked. |
Nike+
Image not directly uploaded to Nike+ website. Can be shared to social media – potential for tampering – can’t trust test. |
Runkeeper
No sensitive information leaked. |
Runtastic
No sensitive information leaked. |
Strava
No sensitive information leaked. |
Live Tracking Capability? | MapMyRun
Only on the paid version. You have to manually enable live tracking and only friends can view it. Can only see ‘local’ friends who are conducting live workouts through the mobile app. We tried a MTM attack on the app to see if we could extract a session identifier for the workout, but application implements SSL pinning and JB detection. |
Nike+
Application doesn’t currently support live tracking, just the ability to share routes afterwards etc. |
Runkeeper
Default permissions do not allow unauthenticated viewing of live maps. Have to be friends. |
Runtastic
Free version supported. Live tracking enabled by default. |
Strava
Application doesn’t currently support live tracking. It seems the session number is generated when a workout is finished/completed. No way to currently track during workout. |
Conclusion
App manufacturers want you to share your data with other users, that’s half the reason the app exists. It’s not surprising then that the apps tend to have very open permissions or they are buried away. What is surprising is that associated web pages are crawlable by search engine spiders. When a user completes their workout each session is tagged with an identifier, and in many cases we inferred this identifier to be predictable due to the use of a sequential/iterative system.
In our research we used Google to find users and their historic workout data, as well as live workout information, all conveniently plotted on an interactive map. We’re unsure if end users were aware that they were sharing their live location with the world. Given the fact most users appear to use a real name and profile pictures, you can see how easy it would be for an attacker to build a thorough profile and location of a target.
We also know that the apps do not force users to create complex passwords. If you want to add an extra layer of protection make sure you use a complex password even when the app does not require it. Use a long password and make sure you pad it using uppercase, numbers and non-alphanumeric characters as well.
Our concerns don’t end there though; the way people are using the apps is a personal safety issue. By browsing users and reading their message threads we found lots of examples of people looking for running buddies. No problem there, except that if these were dating websites people would be meeting first in a public place, not half way up a hill in the middle of nowhere.
Security flaw with Runtastic
When tracking a live run, privacy settings were not correctly applied to the activity. This meant that one could simply iterate through live sessions and track Runtastic users in real time. We tracked each other out on runs many times. It would be trivial to stalk a runner in real time.
We reported the security flaw to Runtastic privately in early 2015. The finding wasn’t acknowledged and we received a very generic response about privacy settings.
As the issue wasn’t fixed at the time, we decided not to publish, so as not to expose lone runners to stalking attacks.
The bug was quietly fixed in late 2015, though we were not notified and only realised when the technique no longer worked. Hence we have now published. We have logs, photographic and video evidence to prove it.
What should you do as a runner?
- Do you really need to share your workouts? If not, don’t.
- Don’t start tracking your workouts from your front door.
- Make sure you check your privacy settings, both on the app in question, but also on any social media you are using to share workouts.
- Don’t make your routine predictable, vary your times and routes.
- If you must share your workouts, ensure you only share with people you know and trust. Do not make this information public.
- Don’t share your workouts live. You don’t want to advertise your whereabouts.
- Try to avoid running alone where possible, but if unavoidable let someone you trust know your route and how long you expect to be.
What you should you do as an app manufacturer
- Enforce strong passwords
- Construct website URLs in such a way that they can’t be enumerated
- Set default privacy settings as “locked down”
- Clearly show your users how to unlock those settings
- Prevent search engine spidering of session pages with a simple robots.txt command
- Discuss personal safety in your messaging
- Promote the above as another set of reasons why your app is better than the others