ESET Ireland

According to BleepingComputer*, Researchers at the North Carolina State University Raleigh have discovered a privacy risk in the Strava app’s heatmap feature that could lead to identifying users’ home addresses.

Strava is a popular running companion and fitness-tracking application with over 100 million users worldwide, helping people track their heart rate, activity details, GPS location, and more.

In 2018, Strava implemented a feature called “heatmap” that anonymously aggregates users’ (runners, cyclists, hikers) activity to help users find trails or exercise hotspots, meet like-minded individuals, and perform their sessions in more crowded and safer locations.

However, as the researchers found, this feature opens up the possibility for tracking and de-anonymizing users using publicly available heatmap data combined with specific user metadata.

By comparing the endpoints from the heatmap and a user’s personal data from the search function, the researchers could correlate the high activity points on the heatmap and the users’ home addresses.

Thomas Uhlemann, Security Specialist at ESET commented that this comes to no surprise as it is not the first time that Strava (but also other social networks) pose a privacy or even physical security risk to the users. Already back in 2018 it was misused to track US military bases around the world, “thanks” to the heatmap feature, which was introduced as far back as 2015. 

Introduced as a feature to share training success and motivation to their peers, the feature update in 2017 raised eyebrows among the security community. Thanks to the  high resolution of the updated heatmap, it seemed easy to track down individual activities – Strava even bragged about it in their press release. The best advice to all users is to think twice before activating the optional heatmap feature – especially when you’re suspicious of being stalked or work in a field of higher security requirements.

*ESET does not bear any responsibility for the accuracy of this information.