Poor privacy controls in fitness app Polar Flow allowed third parties to view names, home addresses, and GPS locations of users by checking their workout history and jogging routes. The flaw allowed researchers to view such details of thousands of military and intelligence personnel from various nations, as well as the locations of military bases.
Research by investigators from De Correspondent and Bellingcat recently revealed how poor privacy controls implemented by Polar in its fitness app Flow allowed app users to view names, home addresses, GPS locations as well as jogging routes of other users.
Fitness data of military personnel could be viewed by anyone
While testing privacy credentials in the Polar Flow app, the researchers were able to obtain details and locations of 6,460 individuals across 69 different nationalities, many of them military and intelligence personnel employed by the likes of GCHQ, MI6, the Dutch Ministry of Defense, NSA, Secret Service, the Russian GRU, and the MIVD in the Netherlands.
“We found the names and addresses of personnel at military bases including Guantánamo Bay in Cuba, Erbil in Iraq, Gao in Mali, and bases in Afghanistan, Saudi Arabia, Qatar, Chad, and South Korea. We also learned the names and addresses of personnel at nuclear storage facilities, maximum security prisons, military airports where nuclear weapons are stored, and drone bases,” the investigators said.
The reason why the investigators could access such details is that any user of the Polar Flow app can access an online map that displays locations and routes of every run, bike ride, and swim undertaken by users since 2014. As such, to access such details, one need not hack into the app but simply install it and view the online map.
Considering that 90 percent of Polar Flow users listed a name and city on their profile page, it was incredibly easy for the investigators to gather information and aggregate results to pinpoint the location of homes as well as military bases of frequent users.
Not only were the investigators able to uncover real identities of users who used private profiles by exploiting a flaw in the app, they were also able to request and view “every activity across the entire world for those 6,460 users”. While there is no evidence of the poor privacy controls being exploited by malicious actors, it is possible that terrorist groups could have targeted military personnel and their bases had they stumbled upon the fitness app.
Polar suspends API that leaked sensitive details
After being alerted to the breach by the investigators, Polar announced in a statement that there was no breach of private data as a result of existing privacy controls.
“Currently the vast majority of Polar customers maintain the default private profiles and private sessions data settings, and are not affected in any way by this case. While the decision to opt-in and share training sessions and GPS location data is the choice and responsibility of the customer, we are aware that potentially sensitive locations are appearing in public data, and have made the decision to temporarily suspend the Explore API.
“We are analyzing the best options that will allow Polar customers to continue using the Explore feature while taking additional measures to remind customers to avoid publicly sharing GPS files of sensitive locations.
“The Explore feature is used by thousands of athletes daily all over the world to share and celebrate amazing training sessions. We apologize for the inconvenience that the suspension of the Explore API will cause, however our goal is to raise the level of privacy protection and to heighten the awareness of good personal practices when it comes to sharing GPS location data,” the company added.
This isn’t the first time that poor privacy controls in a fitness app have exposed names, identities, and locations of military personnel to third parties. In January this year, GPS data of users’ activities stored by mobile fitness app Strava was found to contain detailed locations of the UK’s most secretive military bases, including Sandhurst academy and GCHQ.
GPS locations and jogging routes of Strava app users, if not marked private, could be accessed by anyone, including enemy states and those intent on gathering information on military activities. According to BT, potentially sensitive locations in the UK which were exposed by the app’s heat map included ‘the Sandhurst military academy, GCHQ and HMNB Clyde, where the navy stored its nuclear weapons’.