Cybercriminals can track the locations and routes of Strava users. The sports app claims to protect user privacy, but its measures were caught lacking.

Strava has tens of millions of users in 195 countries. The sports app allows users to share sports activities, locations and routes. Strava provides users with an ‘endpoint privacy zone’ setting to shield routes and locations from the outside world. Despite the privacy measure, researchers at KU Leuven managed to track users’ locations and routes at scale.

The problem

Sports apps like Strava, Adidas Runtastic and Garmin Connect are privacy-sensitive. Users share walking routes, running locations and bike rides while being unaware of the picture the data paints. In April 2018, Strava made headlines after researchers used the app to track the locations of US soldiers in Syria. Military personnel unknowingly revealed classified positions by sharing running routes.

Strava features a privacy setting to combat the problem. In its own words, endpoint privacy zones allow users to shield routes and activities from the outside world. In reality, users’ locations and routes remain traceable.

Although endpoint privacy zones hides the literal route and location of a sports activity, other data remains public, including the distance travelled and the points at which a user enters and leaves a zone. By correlating such data, researchers at KU Leuven managed to uncover routes and locations. The team examined 1.4 million hidden Strava activities and traced user locations and routes in 85 percent of all cases.

Strava gives a ‘false sense of security’

“Endpoint privacy zones give a false sense of security”, Karel Dhondt, one of the KU Leuven researchers, told Belgian media. “Users should be aware that their location data is never really private.”

“As a user, you can do more to protect your privacy on sports apps. Setting a privacy zone is still a good idea. It’s important to make the zone large enough. While 200 meters is typically the minimum, you can increase the zone to more than a kilometre. The bigger the better.”

KU Leuven’s researchers will travel to Los Angeles to meet with Strava’s developers in a few weeks. The organizations plan to sit down and discuss areas for improvement. Strava says it’s open to feedback.

Tip: Interserve fined £4.4 million for lack of data protection