Big Yikes: Are hackers getting your location from your fitness apps?

November 14, 2023

Fitness trackers and apps from some of the largest tech companies on the planet are convenient and fun and informative. They can also be leaky with data and there could be minimal repercussions from a fitness data breach. And hacking these apps might be easier for some than you might think.

Wait, what?

Fitness apps are all over the horizon, and they and tracking devices are popular and have legitimate uses. But users may not know how extensively their information is being made available to or being intercepted by third parties. That fact is made more critical because unlike credit card numbers or IDs, you can’t simply change your DNA or health data.

“Once the toothpaste is out of the tube, you can’t get it back,” Steve Grobman, senior vice president and chief technology officer of computer security company McAfee, told CNBC in November 2022.

Data breaches and unintended disclosures do happen to fitness app publishers, including Fitbit in 2021, and Strava in 2018. When this happens, consumers should understand that fitness data isn’t considered “health information” that is protected under federal standards.

Even when there’s no breach, the intentional sharing of data can lead to usage in ways you’d never expect. For instance, personal information could be shared or sold to third parties, such as data brokers or law enforcement, CNBC reported.

Disturbed yet? There’s more. In April 2023, graduate students in Belgium found that some fitness apps can be exploited to pinpoint users’ home location. Users who share run activity could inadvertently disclose their home or business address due to the likelihood that an activity’s start or finish could occur at one of those locations. Fitness apps like Strava added measures to prevent this such as hiding the run endpoints. But Karel Dhondt, Victor Le Pochat and others discovered that using leaked activity metadata combined with street grid data and other information, they were able to pinpoint user’s private locations anyway.

So what to do? Most of us use the big fitness apps, and awareness and caution should be exercised as a matter of course. Or, you can try RunTracker, the new privacy-focused fitness app that doesn’t post user locations anywhere. RunTracker has all of the same workout tracking features of the big apps, but carries none of the risks. Try it today!