Photo Showing Strava App on Phone and Sports Watch
© Danny Bakker/Shutterstock.com
No AI-generated content: this article is written and researched by humans
Table of contents

The heatmap on the popular fitness app Strava can expose users’ home addresses, according to researchers at North Carolina State University.

In a study presented at the 7th Workshop on Technology and Consumer Protection (ConPro), researchers demonstrated how cyberstalkers and other parties can use publicly available heatmap data and Strava’s search functionality to identify a user’s home address.

Users who frequently upload their activities to Strava are at a greater risk. “With the 100 meter threshold and the victim posting 308 activities, the likelihood of being able to be discovered is 37.5%,” the researchers said.

“The ability to identify the home address of Strava users is a violation of user privacy. It demonstrates that seemingly anonymous data is not truly private and can leak information about users,” the researchers explained.

Strava added a heatmap to its app in 2018. Although this feature is on by default, users can deactivate it in the app’s settings.

Strava’s Heatmap Feature

Strava’s heatmap is based on GPS data collected over time. It highlights users’ routes with yellow or white lines. While it allows Strava users to find popular routes, it can also allow an attacker “narrow down the search space significantly” and find a target’s home.

To demonstrate how this data can expose users’ home addresses, the researchers collected heatmap data for Strava users in North Carolina, Arkansas, and Ohio. They analyzed the images to find the potential start and stop points. Then, they compared the heatmap to actual maps to find the start and stop points that correspond with houses.

Since Strava’s search feature gives users access to the names, photos, home cities, and the activities of other users, attackers can easily verify if they’ve found their target.

“In areas with many highly active Strava users, the Strava heatmap data is difficult to tie to a specific user due to the fact that potentially hundreds of athletes are contributing to the heat in that area,” the researchers noted.

However, by comparing the heat patterns in remote areas or by using other online sources to cross-reference the data, an attacker could identify the home address of a highly active user in a rural location.

Meanwhile, in an email to VPNOverview, Strava emphasized its commitment to the safety and privacy of its users.

“Strava does not track users or share data without their permission. When users share their aggregated, de-identified data with the Heatmap and Strava Metro, they contribute to a one-of-a-kind data set that helps urban planners as they develop better infrastructure for people on foot and bikes, and makes it easy to plan routes with the knowledge of the community,” Strava said.

Protecting Your Privacy on Strava and Other Fitness Apps

If you’re in a highly populous city with many Strava users, you may not be at risk. Nonetheless, we recommend that all Strava users start and stop tracking away from their houses. For more tips, read our article about how to optimize the privacy settings of fitness apps.

Strava noted that users have complete control over their data.

“Any Strava user who does not wish to contribute to the Heatmap can toggle off the Aggregated Data Usage control to exclude all activities or default their Activity Visibility to be only to themselves (‘Only You’) for any given activity,” Strava said. “We are consistently strengthening privacy tools and offering more feature education to give users control over their experience on Strava.”

Meanwhile, the researchers recommend that Strava creates a “small exclusion area” between users’ houses and nearby streets. They also suggested that Strava extends its hidden zone feature to heatmaps to hide users’ start and stop points.

“Given the privacy risks that we discovered, it’s crucial that companies like Strava should integrate privacy-preserving techniques in their development process,” the researchers said. They’ve given Strava 90 days to respond and implement the necessary changes to address these concerns and protect the privacy of its users.

Leave a comment