New strife for Strava: Location privacy feature can be made transparent

Circles within circles make it easy to find the midpoint

By Richard Chirgwin


Analysis by mobile device management outfit Wandera has suggested that newly notorious exercise-tracking app Strava's “location privacy” feature isn't very good at hiding users' homes.

Wandera's analysis comes after Strava released a "heat map" that was found to offer clues to the location of military bases. Such data was only captured because Strava's privacy feature is off by default. When it's on, the feature creates a virtual bubble in which users' activities aren't tracked.

But as Wandera's Liarna La Porta wrote, the privacy zone might not be enough: “If an activity on Strava is circular in nature and the return route is from the opposite direction, it is relatively easy to deduce the mid-point and where the privacy zone is centred on. If there are not two exact opposite points, it’s possible to use a third point from a different activity and solve the equation of a circle passing through 3 points.”

Thar she blows: Strava heat map shows folk on shipwreck packed with 1,500 tonnes of bombs


As the company's Dan Cuddeford added: “Assuming Strava’s user base is made up of serious cyclists who invest heavily in the best equipment, the app can be used by criminals as an accurate map of where to find expensive bikes they might want to steal.”

Wandera said it notified Strava about the issue. Strava reportedly responded by saying the feature is working as intended. However, La Porta added, it would probably be better if the Privacy Zone was randomised rather than set to a specific radius.

Another simple fix is to centre Strava's privacy zone on something other than your home, office or wherever you start to run or ride. By placing it a couple of hundred meters away, you'll make home-hacking harder. (One Reg operative hit on this idea a while ago, not to preserve privacy but to make sure his efforts on a tasty hill were included in Strava's records.)

This kind of mis-direction probably won't help military bases, which have large populations of people. But it's got to be better than the Pentagon's rushed and embarrassed response to the heat map fiasco. ®

Sign up to our NewsletterGet IT in your inbox daily


More from The Register

Cloud-slingers get 3-week extension to pitch for Pentagon's JEDI contract

Hate leads to... a single vendor

US congress-critters question prime directive of Pentagon's $10bn JEDI cloud contract

These are not the vendors you're looking for, republicans suggest in demand for probe

Pentagon 'do not buy' list says нет to Russia, 不要 to Chinese code

Protect and survive, or old-fashioned protectionism – we'll let you decide

AWSome, S3 storage literally costs pennies

Just ignore the retrieval fees and relatively lower resilience

Smartphones gateway drug to the Antichrist, says leader of Russian Orthodox Church

And the beast was given a mouth uttering blasphemous words: 'We value your privacy'

Amazon tries to ruin infosec world's fastest-growing cottage industry (finding data-spaffing S3 storage buckets)

AWS comes up with blanket policies to smother public-facing cloud silos

This week in 'Bungles in the AWS S3 Privacy Jungles', we present Alteryx – and 123 million households exposed

Dodged a bit of a bullet this time

Oracle trying hard to make sure Pentagon knows Amazon ain't the only cloud around

Big Red files additional protest over JEDI contract

Fed up with Oracle's Sith, AWS wades into Big Red's lawsuit over Pentagon JEDI contract

Long-standing cloud enemies to do battle in the courts

Tim? Larry? We need to talk about smartphones and privacy

Congress sends Apple and Alphabet a 'please explain', perhaps because Oracle asked