‘HelloMobile’ App Exposed User Data to Anyone Who Entered Their Number
Last updated September 17, 2021
Many cyclists and runners are using the ‘Strava’ app on their smartphones to track their sessions and log their performance data. According to what some users have been reporting recently, Strava may be beaming data around the athletes, exposing sensitive details about them to nearby users.
That would be users who aren’t connected with them in the platform as “friends,” so we’re talking about strangers who happen to pass by. This is a serious privacy violation for users of Strava, and it appears to be the result of a misconfiguration by the developers.
Related: ‘FabFitFun’ Subscribers Have Had Their ‘PayPal’ and ‘Apple Pay’ Credentials Stolen
This has been confirmed by Andrew Seward of Experian, who suddenly got a log entry on his run after another runner passed by him. Clicking on the tag would reveal her name, picture, and also her running route. Obviously, this last one could easily tell where the woman lives, so there you have it. Seward checked and confirmed that he isn’t following her by mistake or anything, and also confirmed that she isn’t publicly sharing her activity on the platform.
(1/2) Out running this morning on a new route and a lady runs past me.
Despite only passing, when I get home @Strava automatically tags her in my run. If I click on her face it shows her full name, picture and a map of her running route (which effectively shows where she lives) pic.twitter.com/flnHpSvA79
— Andrew Seward (@MrAndrew) September 14, 2020
So, all in all, someone could approach another Strava user out there and learn who they are, where they run, and where they live. It sounds like a severe privacy exposure, and it really goes at the deepest level. Upon further digging, the culprit setting was determined to be the “Flyby,” which was set to “Everyone” by default.
Also, the “Followers” option - which should be the default for the Flyby feature in the first place - is absent in the settings.
Looks very intentional to encourage flybys to stay public. The only privacy setting means you can't see your own either, and its the only setting which doesn't have the third 'followers' option. Also scary is 'anyone on the web' so not just via the Strava platform? pic.twitter.com/StjyGu1t8A
— Ken Wynn 🇬🇧 🇳🇱 🏳️🌈 🧑🤝🧑🐱🐱🐶🚲 (@highfielder80) September 20, 2020
If you’re using Strava to track your sports activities, go ahead and set the Flyby to “No One,” and you should be safe from predators and stalkers. Strava developers took note of the user reports and realized their mistake, so they have changed the default setting to “No One” now. Those who already had the app installed will be prompted to check their privacy settings and adjust the Flyby settings accordingly.
There are some running apps out there that promise ultimate privacy and anonymity, but if you want to be sure, just use an anonymous email account, add fake information on your user profile, and check the privacy settings thoroughly. If possible, turn off the GPS on your smartphone or use a wearable to track your performance and route instead, and you may sync the data later when you’re back home.