Threat Report: Strava’s privacy zones have been revealing users’ hidden locations
In case you missed it in the news last week, online fitness tracker Strava was thrown into the spotlight after security concerns were raised over its global heat map revealing the exercise routes of military personnel.
Strava’s global heat map shows the paths its users record as they run or cycle. Because the app’s user base is denser in major cities, these areas are white hot against a mostly black backdrop. But upon closer examination, it was found that foreign military bases in remote areas also stand out as isolated “hotspots”.
The heatmap reportedly reveals the structure of foreign military bases by correlating the lit-up activity routes or “digital footprints” of individual users and the known bases of US military or intelligence operations.
But this wasn’t the first time Strava had been called out for revealing the sensitive locations of its users.
Striving to keep user data safe
If you don’t know how Strava works, it provides an app that uses a mobile phone’s GPS to record data on a user’s exercise activity including detailed activity maps and performance data so they can share and compare with others.
With 27 million users around the world, Strava aims to be the social network for athletes. The premise is that sharing your exercise data with the whole community feeds into people’s desire to compete with others, which makes it so appealing for those serious athletes out there. Riders strive to become King or Queen of a Mountain and runners can use heat maps to seek out popular routes.
That urge to share and boast about your workout probably conflicts with your instinct to keep your personal data private. But Strava thought of this. Strava’s privacy zone is designed to hide the portion of your activity that starts or ends in a specific zone – presumably your home or office – from all other athletes.
The problem with Strava’s privacy zone
The biggest flaw in Strava’s privacy zone feature is the precision in which it ends activity information around a selected address.
If an activity on Strava is circular in nature and the return route is from the opposite direction, it is relatively easy to deduce the mid-point and where the privacy zone is centered on. If there are not two exact opposite points, it’s possible to use a third point from a different activity and solve the equation of a circle passing through 3 points.
Here are two maps Wandera created using Strava on two different activities to give us the three endpoints needed to calculate the exact location of the address we selected to be surrounded by a 1/8 mile privacy zone.
Strava only offers five fixed radius options (1/8 mile, 1/4 mile, 3/8 mile, 1/2 mile and 5/8 mile) for its privacy zones. Using the ending points of an activity, it is possible to determine which radius option was selected by the user and then to trilaterate the exact location of the selected address.
Because Strava’s privacy zone is of equal size in each activity, it’s possible to represent this graphically by increasing the radius of circles around each activity end marker until three or more circles intersect.
In some cases, Strava’s privacy zone actually makes the determination of home addresses more accurate as it is more precise than the GPS and location services of a mobile device. For example, the same activity mapped below without Strava’s privacy zone enabled shows significant location drift.
Last year, one of our employees contacted Strava to bring this flaw to their attention. The employee even provided a detailed explanation of how he was able to pinpoint the exact location of this home by using just one recorded map that shows the entry points to his privacy zone. Strava commented that its privacy zones were working as intended and users could opt-out entirely if required.
The news of US military personnel not turning-off social aspects of Strava shows that many users are not following this precaution.
Strava has gone as far as to introduce a feature to tag friends on activities who may not even be Strava users themselves. As of February 2018, Strava’s privacy zones have not changed and are not even enabled by default.
Location permissions as a wider issue
Strava isn’t the only service that has been unwittingly providing this kind of location data about its users. In 2014, security firm IncludeSec announced Tinder had been revealing the exact location of its user with a similar method of trilateration. The dating app responded by taking steps to randomize the privacy circle around selected addresses.
In our responsible disclosure, we recommended the Strava’s privacy zone could benefit from a similar approach of randomizing the privacy zone rather than setting it at a specific radius.