A recent study conducted by researchers at North Carolina State University Raleigh has uncovered a privacy vulnerability within Strava's heatmap feature, potentially exposing users' residential addresses.
Strava, a widely used fitness-tracking app boasting a user base of over 100 million worldwide, serves as a trusted companion for individuals monitoring their heart rate, activity specifics, GPS coordinates, and other fitness-related metrics.
Strava introduced a functionality known as the "heatmap" in 2018, which collects and consolidates activity data from its user community comprising runners, cyclists, and hikers. This feature serves multiple purposes, including aiding users in locating trails, identifying popular exercise hubs, connecting with similar enthusiasts, and facilitating safer and more populated workout sessions. The heatmap feature leverages anonymous data aggregation to offer these benefits to Strava's user base.
The researcher’s findings reveal that this functionality presents a potential avenue for tracking and de-anonymising users by leveraging publicly accessible heatmap data in conjunction with specific user metadata.
Using data to locate the homes of athletes
To get the research underway, the first step involved gathering publicly accessible data from the Strava heatmap for one month. Arkansas, Ohio, and North Carolina were the states that they first targeted.
They then used image analysis to detect any start/stop areas that would indicate a specific home linked to a source of tracked activity.
Once the heatmap screenshots were gathered and matching the criteria the researchers were looking for, they overlaid OpenStreetMaps images at zoom levels that helped identify individual residential addresses.
The researchers proceeded to conduct user crawling by utilising a poorly documented search function within Strava. This process aimed to identify users who had registered a particular city as their location.
Through a comparative analysis of the endpoints derived from the heatmap and the personal data obtained via the search function, the researchers were able to establish a connection between the prominent activity points on the heatmap and the home addresses of users.
The public profiles on Strava encompass comprehensive activity information, including timestamps and distances. This wealth of data facilitated the identification of potential routes that aligned with the patterns observed in the heatmap data, leading to a more precise identification of individuals and corresponding geographic areas.
Given that numerous Strava users opt to register using their actual names and even upload personal profile pictures, it’s not impossible to establish connections between identities and home locations.
In their investigation, the researchers cross-referenced their findings with voter registration data and determined that their predictions achieved an accuracy rate of approximately 37.5%.
The researchers clarify, "A user who is more active on Strava generates a greater amount of heat on the heatmap, thereby making their identification more straightforward. Figure 7 illustrates the probability of a successful match based on the quantity of posted activities."
"For the subsequent analysis, we will presume that the targeted individual posts an average number of activities, which in our dataset amounts to 308 activities."
"With the adoption of a 100-meter threshold and considering the victim's posting of 308 activities, the probability of being exposed stands at 37.5%."
Improving Strava's policy for enhanced user protection
The initial measure to mitigate this issue involves residing in densely populated areas that receive substantial Strava heatmap data, thereby rendering person-specific tracking almost impractical.
Another approach to address this privacy concern would be to commence tracking activities only after leaving one's home or for Strava to introduce an exclusion zone in the heatmap, encompassing a few meters around residential locations as indicated in OpenStreetMaps.
Additionally, the researchers suggest that the heatmap feature should incorporate an option enabling users to define privacy zones around their homes or other selected areas.
Although the heatmap feature is enabled by default across all Strava applications, users have the choice to opt out through the settings.
Concerning profile settings, individuals concerned about privacy can ensure their user profiles on the Strava app remain private, preventing the exposure of names and activity data.
To sum up
The findings presented in this scenario shed light on the critical importance of security when using online applications. The research on Strava's heatmap feature serves as a reminder that seemingly innocuous features can inadvertently expose users to privacy risks. The ability to track and de-anonymise individuals based on publicly available data emphasizes the need for robust security measures to safeguard personal information.
As users, it is essential to be mindful of the potential risks and take proactive steps to protect our privacy, such as utilising privacy settings, opting out of data sharing features, and being cautious about the information we share online. This study highlights the responsibility of app developers to prioritise user privacy and implement comprehensive security mechanisms. By prioritising security in online apps, we can ensure a safer and more secure digital landscape for everyone.
