The mobile fitness app Polar has been used by security researchers to determine the location of its users. Those users were soldiers and secret agents in military bases. Their location while safe from most wasn’t that safe from their smartphone.
People working in those military bases that happen to also use the Polar app which collected data one their activity, including location, steps, distance, etc. Security researchers in the Netherlands found ways to access that data due to flaws in the app. This data had some common clues that gave away people’s work and home, but for some people work was in unusual places. This included employees of the FBI and NSA along with other military bases on many countries. The data could let individuals find buildings where secret agents stay during their work, location of classified objects etc.
Similar flaws have been found in other apps that monitor health like the Strava app. Such flaws may indeed be very dangerous. While most of people are concerned with data collection, the focus should be on security and encryption. Even if the Polar app didn’t store locations, data could be still recorded from the app. We cannot make apps not record any data that would destroy their functionality. But we have to find ways to encrypt data that could be used in such a way on the device and maybe even force companies that store data to have above a certain level of security on their servers.
While GDPR ensures that users have more controlled over their online privacy, we still face the problem of having too much data collected at all times. GDPR doesn’t do anything about it and we should be trying to find ways to solve such problems. While encryption on device might be impossible due to processing demands, a solution must be found, at least for those working in such sensitive positions.
Information collected from this study included: detailed personal information, including home addresses, of military personnel, persons serving on submarines, Americans in the Green Zone in Baghdad and Russian soldiers in Crimea. This data was apparently accessed through the Polar site. In this case i think the company is to blame.
But at some point, no matter how good technology gets, we have to ensure that people working in such sensitive positions use either specifically designed devices or leave their personal ones at home when going to a sensitive location to avoid such leaks. The problem with cyber security is that no matter how good security measures get, there will always be ways to hack something. Some companies like Apple handle hacks very well, rewarding hackers so that they can have the information to fix the problem on day 0 before something bad happens. Others like Polar apparently do nothing and other like Microsoft have huge teams that constantly work but due to the amount of devices and features they support on their software can’t possibly protect everything and allow some issues that are ultimately not their fault. Like in this case, it’s not androids fault. The data could be accessed through the website.
Technically Polar did not leak any user data. Although their security could be improved. They have since released a statement regarding the issue. They state that they realize that there is a flaw in the apps design and they are trying to fix this. Until then they have turned off the location features for everyone. Of course the data was not leakes to someone unknown, it was researchers and they did not have a bad intent. Neither did Polar sell the data or something. But they did make an app with a flaw that allowed that and that’s not really great. Hopefully such issues will soon be fixed. For now we will have to see what’s next. I would like to see Google implement a security feature on android that is more aggressive. Although each app can still gather data and display it on a website, so who knows. Maybe we need a GDPR that ensures companies handle customer data securely. Thankfully in this case it wasn’t a random hacker, and it was a researcher. If it was a random hacker the situation for Polar would be much worse.
For more science and tech news follow Qul Mind on Facebook and Twitter. and for links to my sources check the end of the article. You can leave a comment, let me and the readers of Qul Mind know what you think of this story.