Strava, the exercise tracking app is back in the news with reports suggesting that it is possible to pin-point a users home locations if they use the “map visibility” feature – a feature designed to do exactly the opposite!
Analysts at mobile cyber-security firm Wandera recently revealed the results of work they had undertaken into the Strava app.
How does it work?
Ever since Strava inadvertently identified the locations of military installations around the world in 2018, Strava have looked at ways to help users obfuscate their location data when using the app whilst on a run, or a cycle ride.
Strava introduced the ability for users to block out sensitive locations on their maps to avoid incidents like the above images show with a feature called Map Visibility.
Map visibility has three configuration options:
- Option 1: Enter an address to hide the portion of any past or future activity that starts or ends nearby. This selection will apply to all past and present activities.
- Option 2: Hide the start and end of all activities regardless of where they start or end. This selection will only apply to future activities.
- Option 3: Hide the entire map. This selection will only apply to future activities.
When choosing either options 1 or 2, the user enters a point on a map, and the Strava app blocks out a radial distance of 1 mile from the center.
Seems OK right?
The problem of geometry
If a user only ever uses one point on the map to block out their location it becomes fairly obvious where they live – in the center of the “hidden” area.
As such, most users generally start their exercise and wait until they are an appropriate distance from their start point, then block out the map.
This is where the geometry come to play.
By analysing multiple blocked areas and identifying where they intersect, it is possible to triangulate their actual start points.
According to the Wandera report, the problem arises because the Strava app always uses a circle with the same radius to block out sensitive places.
“Using the ending points of an activity, it is possible to determine which option was selected by the user and then to triangulate the exact location of the selected address,” the report says. “As the privacy zone is of equal size in each activity, it’s possible to represent this graphically by increasing the radius of circles around each activity end marker until three or more circles intersect.”
Wandera research into Strava map visibility
Strava are not the first such app to suffer from the ability to reverse-locate a user from their mapping features.
Tinder suffered from the same issue until Include Security documented how the dating app’s implementation of a location feature could help an attacker pinpoint a Tinder user’s location to within 100 feet.
Following the report, Tinder has since updated their app and now only shows a rounded distance rather than a precise distance.
Wandera offered this recommendation to Strava when it disclosed their research. Strava’s response was that “privacy zones were working as intended and users could opt-out entirely if required.”
Until Strava make changes to how their app locates sensitive areas, the advice is to turn off privacy zones and instead, don’t start or stop Strava activities until you are a random distance from your sensitive location.
Looking at the latest information from Strava regarding map visibility, an updated notification has been added to the instructions of use on the 25th April 2023.
