Researchers at the North Carolina State University Raleigh have discovered a privacy risk in the Strava app's heatmap feature that could lead to identifying users' home addresses.
Strava is a popular running companion and fitness-tracking application with over 100 million users worldwide, helping people track their heart rate, activity details, GPS location, and more.
In 2018, Strava implemented a feature called "heatmap" that anonymously aggregates users' (runners, cyclists, hikers) activity to help users find trails or exercise hotspots, meet like-minded individuals, and perform their sessions in more crowded and safer locations.
However, as the researchers found, this feature opens up the possibility for tracking and de-anonymizing users using publicly available heatmap data combined with specific user metadata.
Locating homes of athletes
The first step taken by the researchers was to collect data publicly available through Strava heatmap over a month for the states of Arkansas, Ohio, and North Carolina.
Next, they used image analysis to detect start/stop areas next to streets, indicating that a specific home is linked to a source of tracked activity.
Having selected heatmap screenshots that matched the criteria, the team overlaid OpenStreetMaps images at zoom levels that helped identify individual residence addresses.
The next step was to perform user crawling leveraging a poorly documented search feature on Strava to locate users who have registered a specific city as their location.
By comparing the endpoints from the heatmap and a user's personal data from the search function, the researchers could correlate the high activity points on the heatmap and the users' home addresses.
The public Strava profiles contain activity data with time stamps and distances, making it easier to identify potential routes that match the patterns in the heatmap data, narrowing down people and area matches.
As many Strava users register with their real names and even upload profile pictures of themselves, correlating identities with home locations is possible.
For their research, the scientists correlated their findings with voter registration data and found their predictions were roughly 37.5% accurate.
"A more active user produces more heat on the Strava heatmap and therefore is more easily identified. Figure 7 demonstrates the likelihood of a match based on the number of activities posted," explains the researchers.
"For the remainder of the analysis, we will be assuming the target of the attack posts an average number activities, which for our data set is 308 activities."
"With the 100 meter threshold, and the victim posting 308 activities, the likelihood of being able to be discovered is 37.5%."
Enhancing Strava's privacy
The first passive mitigation is to live in a densely populated area that receives massive amounts of Strava heatmap data, making person-specific tracking nearly impossible.
Another way to mitigate this privacy problem would be to start the tracking after you've left your home or for Strava to create an exclusion for heatmap for a few meters around home locations as marked in OpenStreetMaps.
The researchers also propose that the heatmap should support an option for users to set privacy zones around their homes or elsewhere too.
The heatmap feature is active by default on all Strava apps, but users can opt out through settings.
Regarding profile settings, those worried about privacy should keep their user profiles on the Strava app private, which would not expose names and activity data.
BleepingComputer has contacted Strava requesting a comment on the paper's findings and whether the software vendor has any fixing plans, but we have not received a response by publication time.
Update 6/14 - Strava has responded to our request for a comment with the following statement:
The safety and privacy of our community is our highest priority. We've long had a suite of privacy controls (including Map Visibility Controls) that give users control over what they share and who it’s shared with.
Strava does not track users or share data without their permission. When users share their aggregated, de-identified data with the Heatmap and Strava Metro, they contribute to a one-of-a-kind data set that helps urban planners as they develop better infrastructure for people on foot and bikes, and makes it easy to plan routes with the knowledge of the community.
The Global Heatmap displays aggregated data from a subset of Strava activities and will not show ‘heat’ unless multiple people have completed an activity in a given area. Any Strava user who does not wish to contribute to the Heatmap can toggle off the Aggregated Data Usage control to exclude all activities or default their Activity Visibility to be only to themselves (`Only You`) for any given activity.
We are consistently strengthening privacy tools and offering more feature education to give users control over their experience on Strava. This includes simplifying our Privacy Policy with our Privacy Label at the top.
Comments
tonstad - 10 months ago
Sorry this is nothing new - DoD banned the use of fitness trackers in a combat zone years again after a company BlackHorse Solutions did this very thing several years ago by tracking a special operator from Syria to his home in North Carolina and using county records identified the special operator and his wife then found their social media accounts - this was reported to DoD