Polar fitness app exposed personal information of soldiers and spies

For the second time this year, a fitness app is to blame for revealing the locations of people working at military bases, intelligence agencies and other sensitive sites, as well as pinpointing those users’ homes.

The fitness app Polar Flow allows users to share the GPS locations of where they are exploring — aka exercising; that’s supposedly a feature and not a flaw. Yet the API could be queried to reveal users’ fitness activities, their locations, their homes — as it is often where people would turn on and later off the tracking when beginning and ending a workout. Further, some additional sleuthing revealed even users’ names.

Polar makes an online map available to its users and displays all their exercise routes and locations since 2014. According to an investigation by Bellingcat and De Correspondent, that map can also be used to let “anyone” find the names and addresses of military and intelligence agency personnel, as well as names and addresses for “personnel at nuclear storage facilities, maximum security prisons, military airports where nuclear weapons are stored, and drone bases.”

De Correspondent showed how “simple searching” allowed journalists “to find 6,460 users who have tracked their sports activities at or near sensitive locations” all the way back to 2014. “Of these users, nearly 90% list a name and city on their profile page, which makes finding their home address significantly easier.”

Bellingcat reported:

By showing all the sessions of an individual combined onto a single map, Polar is not only revealing the heart rates, routes, dates, time, duration, and pace of exercises carried out by individuals at military sites, but also revealing the same information from what are likely their homes as well. Tracing all of this information is very simple through the site: find a military base, select an exercise published there to identify the attached profile, and see where else this person has exercised. As people tend to turn their fitness trackers on/off when leaving or entering their homes, they unwittingly mark their houses on the map. Users often use their full names in their profiles, accompanied by a profile picture — even if they did not connect their Facebook profile to their Polar account.

Polar’s Explore API allowed access to data, has since been suspended

The journalists took advantage of an “oversight in the Polar app” to expose the names and addresses of users who opted to leave their profile as “private.”

Bellingcat explained that is how its reporters “found the names and addresses of personnel at intelligence agencies, including the NSA and Secret Service in the U.S., the GCHQ and MI6 in the U.K., the GRU and the SVR RF in Russia, the DGSE in France, and the MIVD in the Netherlands. We found the names and addresses of personnel at military bases, including Guantánamo Bay in Cuba, Erbil in Iraq, Gao in Mali, and bases in Afghanistan, Saudi Arabia, Qatar, Chad, and South Korea.”

Polar also failed to limit how much information could be requested. Since there was no limit, the journalists “were able to automatically call up every activity across the entire world for those 6,460 users, which made it much easier to determine their home address.” It would have been equally easy for foreign intelligence services or malicious actors to scrape the same data.

This is the second time this year that a fitness app’s map was used to expose sensitive personal information. The first time involved Strava’s Global Heat Map which showed the locations and movements of its 27 million app users with fitness devices across the globe. In theory, the data was “anonymized;” in reality, thanks to research by Nathan Ruser, it showed locations and patterns of activity in and around military bases, secret facilities and military patrol routes.

After Polar was notified, the company published a statement saying it was “important to understand that Polar has not leaked any data, and there has been no breach of private data. Currently the vast majority of Polar customers maintain the default private profiles and private sessions data settings, and they are not affected in any way by this case. While the decision to opt in and share training sessions and GPS location data is the choice and responsibility of the customer, we are aware that potentially sensitive locations are appearing in public data, and have made the decision to temporarily suspend the Explore API.”

Polar plans to suspend its Explore API as it works toward a goal of raising “the level of privacy protection” and heightening “the awareness of good personal practices when it comes to sharing GPS location data.”