App Privacy & Security: Why Running Apps Still Lag

Security and Privacy Concerns in Popular Running Apps

A recent evaluation by security experts reveals that many widely used running applications continue to exhibit vulnerabilities in their security and privacy protocols. A comparative analysis conducted five years apart demonstrates limited improvements across the leading platforms.

Data Collection by Running Applications

Running apps accumulate substantial personal information during usage. This includes health metrics such as height and weight, utilized for calorie expenditure calculations, as well as precise location data to map workout routes.

The potential for misuse of this data is significant. Compromised information could expose sensitive details about an individual’s home or workplace.

Past Security Breaches and Concerns

In 2018, Strava responded to concerns regarding data privacy by announcing simplifications to its privacy settings. This followed reports that users were unintentionally disclosing data revealing the locations of military installations and classified government sites.

Current Security Deficiencies

Researchers from Pen Test Partners, a U.K.-based cybersecurity firm, assessed several prominent running apps – including Strava, Runkeeper, MapMyRun, Nike Run Club, and Runtastic – and identified a lack of fundamental security safeguards against unauthorized access and data leaks.

Over the past five years, only Runtastic implemented a more robust password policy. The remaining applications still permit the use of easily compromised passwords, such as “123456” and “password.”

Automated hacking attempts frequently target accounts utilizing predictable or weak credentials. Critically, none of the assessed apps offer two-factor authentication, a security measure that adds an extra layer of protection against the reuse of stolen passwords.

Google data indicates that even basic two-factor authentication can effectively mitigate the majority of automated password reuse attacks.

Lack of Response from App Developers

Inquiries were directed to each app developer regarding the absence of two-factor authentication. However, none of the companies provided a response.

Privacy Control Improvements

The research indicated that Runtastic, Nike Run Club, and MapMyRun had enhanced their privacy controls. However, Strava demonstrated “no significant change” in this area.

The report highlighted that Strava and Runkeeper default to publicly sharing user data. While users can modify these settings, the process is not intuitive and may not be prioritized by the average user.

Conversely, Nike Run Club, Runtastic, and MapMyRun offer more secure default privacy settings, limiting data sharing to friends or followers only.