A loophole in the popular fitness app Strava may be revealing your home address to strangers.
Researchers at North Carolina State University used data that’s supposed to be anonymous to find specific Strava users’ homes and running routes.
“31.7% of Strava users are active enough to have the heat map show their home address,” says Kevin Childs, who studied cybersecurity at NC State.
Childs was motivated to start digging into the app’s privacy after a friend had a stalking incident.
“Immediately, my mind went to ‘she uses Strava,’” Childs explained about the incident.
Strava’s default settings plot a user’s historical GPS data anonymously on a heatmap. That data is intended to help Strava’s 100 million users find popular running, cycling and swimming areas. Childs says his research found a loophole.
“We found that with specific people that are active, you can see that their home is producing a lot of activities, and in remote areas that’s ripe for an attack,” Childs warned.
“It’s really shocking to hear that,” said Riley Williams about Childs’ research.
Williams says she used Strava briefly. She’s always concerned about safety while running but didn’t realize how much she may have been sharing.
“You just have it on in your head all the time; I’m alone, what do I have on me, what is my phone doing apparently,” Williams said.
5 On Your Side asked Strava about this report and they sent the following statement:
“The safety and privacy of our community is our highest priority. We’ve long had a suite of privacy controls (including Map Visibility Controls) that give users control over what they share and who it’s shared with.
Strava does not track users or share data without their permission. When users share their aggregated, de-identified data with the Heatmap and Strava Metro, they contribute to a one-of-a-kind data set that helps urban planners as they develop better infrastructure for people on foot and bikes, and makes it easy to plan routes with the knowledge of the community.
The Global Heatmap displays aggregated data from a subset of Strava activities and will not show ‘heat’ unless multiple people have completed an activity in a given area. Any Strava user who does not wish to contribute to the Heatmap can toggle off the Aggregated Data Usage control to exclude all activities or default their Activity Visibility to be only to themselves (`Only You`) for any given activity.
There have been concerns about Strava and privacy in the past. In 2018, Strava users in active war zones were painting detailed pictures of US bases in Afghanistan and Syria. That led to an investigation by the Pentagon.
In early June, a Tennessee woman was indicted for hiring a hitman to kill another woman. The suspect allegedly used Strava to track the victim’s movements.
“You’re not only sharing where you’re going, how fast you’re going, but exactly what time. You’re starting to give your habits and even certain medical data such as your heart rate,” Childs warned.
You can choose not to contribute any data to the heat map by unclicking the “Aggregated Data Usage” option in the app’s privacy controls.
Strava says data on the heat map is not live.