Do Popular Fitness Apps Used by Service Members Risk U.S. Security?
By Betsy Hnath
A recent Washington Post article highlighted concerns regarding the vulnerability of U.S. military personnel due to fitness tracking apps.
According to reports, by posting a "heat map" online, the fitness-tracking company Strava detailed the location activities of users, inadvertently including U.S. military bases in areas like Afghanistan and Iraq.
Though experts have been vocal in their warnings, the Post report brings tracking app privacy concerns back to the forefront.
Old Dominion University's Michael Wu, director for the Center for Cybersecurity Education and Research, says he isn't surprised that the military is concerned that sensitive information might be relayed by fitness-tracking apps.
"The fitness apps usually use GPS and motion sensor data to track users," said Wu. "If the phone or app is compromised, the attacker is able to know the user's daily routine activities -- where s/he is, what s/he does, etc. This leads to privacy concerns and is obviously dangerous for military personnel."
Fitness-tracking devices or apps monitor when a device is in motion or still, creating a trail of activity, or a map.
Only those using the Strava app, a "social network for athletes," transmitted information. Strava made the maps, along with other personal data, widely available within its network as a way to encourage users to connect with one another.
Military officials say they are reviewing guidelines for what apps will be allowed on bases.
Though many Strava customers were surprised at the level of information available to such a wide audience, Wu says this is nothing new.
"Extensive studies have been reported recently to show possible attacks by exploiting sensors on smartphones and wearable devices," he said.
So should people stop using fitness tracking apps altogether? Not necessarily.
"For most people, as long as we follow basic security principles to keep our phone secure and use only trusted fitness apps, it is fine to continue using them," he said. "There is no perfectly secure system; neither is there a 'silver bullet' that can mitigate every possible attack. But if the information is not extremely valuable and the defense is strong enough, the attackers would lose incentive and motivation to attack it. On the other hand, attacks to sensitive military and government agencies are not based on economic incentives. As such, policies should be carefully reviewed to protect the security and safety of the individuals and organizations."