![]() Link to privacy policy on main sign-up (in the small text at the bottom) form but no personal data awareness given. Private: Maps only visible to ‘friends’ by default. No messages/prompts to raise user awareness to risks surrounding sharing personal data. With nothing more than a little knowledge of the app, can the victim/user be followed in real-time? Findings Default privacy settings commentsįully Public: Maps are visible to everyone by default.Ĭan edit privacy settings via a tiny drop down box on activity feed. EXIF data in images gives unique identifying factors, sometimes including the GPS coordinates where they were taken and more. People upload photos of themselves and their runs. …using sequential sessions isn’t a great idea, as it makes guessing URLs incredibly easy.Īre the website’s session URLs left open to search engine spiders, making them easier to find? This makes your personal data easier to find on the public internet. This looks at the website URLs to see if your activity sessions share similar numbers e.g. ![]() Predictable Session number (iterative/sequential)? Is the data sent between the app and website encrypted?ĭoes the app make you set a strong password, or is a password of ‘password’ possible? If weak passwords are allowed, it’s almost as bad as publishing everything about you on the public internet!ĥ. Is it easy and obvious to change the defaults and make your data more secure, or is it buried in layers of configuration.ģ. Is your data and/or activity open to others, or does the vendor make it private as standard? How is user data protected by the app by default once downloaded. With each of the five apps we reviewed these eight criteria: ![]() This means that if you have MapMyRun, RunKeeper, Runtastic or Strava the onus is on you to set it up. The only app to run with default privacy settings enabled was Nike+. Strava was a better – whilst their default settings led to over-sharing, they emailed the user the following day with privacy advice. Yes, the settings are available, but they are not properly signposted, nor are they enabled by default. MapMyRun, RunKeeper and Runtastic are all guilty of not explicitly encouraging users to protect their data by configuring privacy settings. We discovered that even with its privacy settings enabled and correctly configured it still allowed the tracking of users in real-time. The biggest and most worrying flaw we found was in Runtastic. We didn’t reverse engineer the apps or analyse anything server-side. We limited our investigations to the information sent to and from our phone apps as a regular user. We looked at some of the most popular iOS, Android, Windows Phone, and BlackBerry apps and compared their features and associated security risks. The difference with today is that the information stayed in the watch, it wasn’t sent wirelessly or recorded automatically elsewhere as it is now.īearing all that in mind we thought a security review of the main apps was long overdue. Athletes have been monitoring this stuff for years, latterly with sports watches. In isolation this is fairly harmless information. During the run, one could watch the runner moving in real time: Location, distance, speed, time and elevation are all logged. ![]() The information provided is common across all tracking apps. The apps use your phone’s GPS and accelerometers. We also know that manufacturers often fail at flagging the importance of changing these settings, and sometimes they don’t provide them at all. Of course the availability of that information depends on how a user has configured their app, but as we know many people don’t change default settings. If it’s trivial for anyone to access app data via the website mothership, to target a person and identify exactly where they are (or are going to be) then we have a serious problem on our hands. ![]() Strava was OK, MapMyRun and RunKeeper were below par and RunTastic had a scary security flaw (now fixed). We’re talking about genuine risk to personal safety if that information got into the wrong hands.īriefly, Nike+ was good. We looked at this because with these tracking we’re not talking about the risk to a device, or to personal information being harvested, or passwords being stolen. One app had a security flaw that allow private runs to be viewed in real time, so the victim could be tracked. Default settings encouraged users to over-share personal data. We found that most of the popular apps we looked at paid scant regard to users security. Strap your phone to your arm and go out for a run or bike or horse ride. Plenty of security vulnerabilities have been found in fitness tracking devices, but we wanted to have a look at the mobile apps that are used for run and bike tracking. ![]()
0 Comments
Leave a Reply. |