Polar’s fitness app is inadvertently revealing the location of US military personnel and other users. This is the second time in six months a popular fitness app has come under fire for making public information that could be used for nefarious purposes.
Essential reading: Top fitness trackers and health gadgets
The information comes from a detailed investigation by the Dutch De Correspondent and open source investigative site Bellingcat. This shows that the Explore function in the Polar Flow app can be used to reveal “the homes and lives of people exercising in secretive locations, such as intelligence agencies, military bases and airfields, nuclear weapons storage sites, and embassies around the world.
To the best of our knowledge, an actual breach has not occurred but the joint investigation shows that it is possible. In fact researchers were able to uncover the names, addresses and other information of nearly 6,500 users across 69 nationalities using the service.
The Explore function has been around since 2014 and thousands of athletes use it each day. This shows, for example, popular running and cycling routes. Useful, but if these happen to be a solder exercising near a military base it can be problematic! Equally, the risk from Polar’s open data set poses a risk to civilians who may be targets of unscrupulous individuals.
Strava’s popular fitness app has faced similar issues some six months back. Its heatmap inadvertently mapped places that should have been kept secret. This includes sensitive US military locations, such as those in Iraq, Syria and Afghanistan. It seems the Strava app was used by soldiers who use fitness devices such as Fitbit and Garmin while they were out and about jogging.
Polar has acted swiftly and suspended the Explore function until it resolves the issue. The company issued a statement addressing the security loophole.
“It is important to understand that Polar has not leaked any data, and there has been no breach of private data,” the statement reads.
“Currently the vast majority of Polar customers maintain the default private profiles and private sessions data settings, and are not affected in any way by this case. While the decision to opt-in and share training sessions and GPS location data is the choice and responsibility of the customer, we are aware that potentially sensitive locations are appearing in public data, and have made the decision to temporarily suspend the Explore API.”
What this is actually saying is that users have the option to mark their data as private via the user profile page in the app. Marking it private will also prevent the service from sharing information to third-party apps such as Facebook. Nevertheless, Polar is looking at options to raise the level of privacy.
Like this article? Subscribe to our monthly newsletter and never miss out!