Security

New strife for Strava: Location privacy feature can be made transparent

Circles within circles make it easy to find the midpoint

By Richard Chirgwin

34 SHARE

Analysis by mobile device management outfit Wandera has suggested that newly notorious exercise-tracking app Strava's “location privacy” feature isn't very good at hiding users' homes.

Wandera's analysis comes after Strava released a "heat map" that was found to offer clues to the location of military bases. Such data was only captured because Strava's privacy feature is off by default. When it's on, the feature creates a virtual bubble in which users' activities aren't tracked.

But as Wandera's Liarna La Porta wrote, the privacy zone might not be enough: “If an activity on Strava is circular in nature and the return route is from the opposite direction, it is relatively easy to deduce the mid-point and where the privacy zone is centred on. If there are not two exact opposite points, it’s possible to use a third point from a different activity and solve the equation of a circle passing through 3 points.”

Thar she blows: Strava heat map shows folk on shipwreck packed with 1,500 tonnes of bombs

READ MORE

As the company's Dan Cuddeford added: “Assuming Strava’s user base is made up of serious cyclists who invest heavily in the best equipment, the app can be used by criminals as an accurate map of where to find expensive bikes they might want to steal.”

Wandera said it notified Strava about the issue. Strava reportedly responded by saying the feature is working as intended. However, La Porta added, it would probably be better if the Privacy Zone was randomised rather than set to a specific radius.

Another simple fix is to centre Strava's privacy zone on something other than your home, office or wherever you start to run or ride. By placing it a couple of hundred meters away, you'll make home-hacking harder. (One Reg operative hit on this idea a while ago, not to preserve privacy but to make sure his efforts on a tasty hill were included in Strava's records.)

This kind of mis-direction probably won't help military bases, which have large populations of people. But it's got to be better than the Pentagon's rushed and embarrassed response to the heat map fiasco. ®

Sign up to our NewsletterGet IT in your inbox daily

34 Comments

More from The Register

AWSome, S3 storage literally costs pennies

Just ignore the retrieval fees and relatively lower resilience

This week in 'Bungles in the AWS S3 Privacy Jungles', we present Alteryx – and 123 million households exposed

Dodged a bit of a bullet this time

Tim? Larry? We need to talk about smartphones and privacy

Congress sends Apple and Alphabet a 'please explain', perhaps because Oracle asked

New Pentagon CIO's JEDI mind-change trick: Controversial cloud deal paused

Former JPMorgan man wants to procure 'true enterprise cloud'

JEDI mind tricks: Brakes slammed on Pentagon's multibillion cloud deal

This may not be the vendor you're looking for – explain yourself to get your funding

Oh, Bucket! AWS in S3 status-checking tool free-for-all

'Your data is waiting for the internet to download it' warning lights are now free

Microsoft's Azure green-lit for use by US spies

Government deal clears the way for a run at JEDI

OnePlus privacy shock: So, the cool Chinese smartphones slurp an alarming amount of data

Are we shocked? *Cough* Google, Apple *Cough*

Like an everflowing stream: New tech promises remote S3 nearline disk performance

Analysis Cool, but streaming doesn't mean screaming

Pentagon on military data-nomming JEDI cloud mind trick: There can be only one (vendor)

Unless offerings 'become... seamlessly integrated'