Following the revelation that a heatmap detailing the workout activities of Strava users had inadvertently revealed the locations of secret military bases many users might have turned their privacy settings on.
The trouble is that the way Strava obfuscates the data makes it terribly easy for somebody to pinpoint your location even with privacy settings turned on.
This revelation is brought to us by mobile security firm Wandera. Rather than using scripts and diving into reams of code, Wandera used basic geometry to crack Strava’s privacy.
When a user wants to hide a location Strava will represent a person’s activity as a circular privacy zone rather than a solid red line along the route they took.
Wandera’s Liarna La Porta explains.
“The biggest flaw in Strava’s privacy zone feature is the precision in which it ends activity information around a selected address.
If an activity on Strava is circular in nature and the return route is from the opposite direction, it is relatively easy to deduce the mid-point and where the privacy zone is centered on. If there are not two exact opposite points, it’s possible to use a third point from a different activity and solve the equation of a circle passing through 3 points.”
Users are able to change the radii of their privacy circles but Strava only allows users to select one of five fixed radii. With that in mind and a bit of geometry (the formula that Wandera used is this one) the security firm was able to create a venn diagram which reveals that the point where all three circles intersect is the location that a person starts their activities.
Is this dangerous? Wandera’s director of systems engineering Dan Cuddleford thinks so.
“Assuming Strava’s user base is made up of serious cyclists who invest heavily in the best equipment, the app can be used by criminals as an accurate map of where to find expensive bikes they might want to steal. Especially risky when bikes are kept in the basement of office buildings which can be easily accessed with some clever social engineering,” says Cuddleford.
When asked for comment on this frankly simple way of bypassing the app’s privacy controls Strava reportedly told Wandera that privacy zones were working as intended and that users had the option to disable the feature altogether.
With this news then it seems as that if users are concerned with privacy while using the Strava app they’ll have lock the app down themselves.[Image – CC Pixabay] [Source – Wandera]