Sports fitness apps, such as Strava, are gaining popularity year after year. They have also often become true social networks. You share very personal data there, and sometimes unknowingly also your home or work location as the starting point of your sports activities. The apps usually allow you to hide those locations, but researchers from the imec-DistriNet research group at KU Leuven discovered that in many cases that option gives a false sense of security. Strava has already invited the researchers to review their conclusions together.
The popular sports app Strava counted more than 100 million users in 195 countries by the end of May 2022. Runtastic by Adidas even has 182 million registered users. These are just two examples of the popularity of social networks around sports. Every day, millions of sports activities around the world are shared with friends and other app users, a virtual community of supporters. But the activities you share also tell a lot about yourself. Very often you can discover patterns in them: fixed places and times when you exercise, fixed routes, fixed points of departure and arrival. And the latter are also often places where you live or work.
A false sense of security
To avoid simply releasing that data, social networks such as Strava often work with endpoint privacy zones: they allow you to hide zones around privacy-sensitive locations, in a circle around that spot whose size you choose. But that approach creates a false sense of security, researchers from the imec-DistriNet group at KU Leuven showed.
"The overview of your protected activity still contains so much data on, for example, the distance traveled and route taken that in combination with a street map, it still reveals your point of departure or arrival," explains researcher Karel Dhondt of KU Leuven Ghent - Campus Rabot.
The researchers developed a so-called inference attack and applied it to anonymized activities shared on sports apps.
"For example, among the 1.4 million Strava activities we analyzed, we were able to uncover up to 85 percent of the hidden locations anyway, purely on the basis of the additional data that was publicly revealed," says researcher Victor Le Pochat of the imec-DistriNet research group.
Many users do realize the risk of sharing activities on these apps. For example, in the past there were reports of how military personnel unknowingly revealed the location of secret military locations by sharing their running laps. Or reports of athletes whose expensive bikes were stolen after thieves lurked on Strava. But so too, the new options for protecting your location data are not foolproof.
The researchers have delivered their findings to the respective platforms, and will soon sit down with Strava to discuss their suggestions for improvements. The apps could better hide the info about the distance you cover within the hidden zone from outsiders, or even omit it altogether. Although the latter intervention would have a severe impact on users since the activity would no longer be fully recorded. They could also vary the shape and size of the zones that are hidden (now mostly circles) more.
"Also as a user, you can better protect your privacy on sports apps. Setting a privacy zone is still a good idea anyway, but make the zone around places you want to keep hidden large enough. Often the minimum is 200 meters, but you can increase the zone to more than a kilometer. The bigger the better," emphasizes researcher Karel Dhondt. In addition, varying your starting arrival spot more is also an effective strategy.
The researchers also built an online application, which they christened Priva , that uses their insights to better secure your sports activities. There, you choose a location you want to secure and the application chooses for you the best size of area to be made invisible.