Fitness app Polar Flow, exposed sensitive locations, home addresses

Maricruz Casares
Julio 11, 2018

Polar's line of smart devices are able to connect to the company's fitness app, Polar Flow, where users can record their activities and routes on a publicly viewable "Explore" map.

The Explore component of Polar Flow was meant to show anonymous data on its users and their activities around the globe, displaying it in a similar fashion to the activity map that was responsible for Strava's woes earlier in the year. It added that there had been no breach of private data and that it is now "analyzing the best options that will allow Polar customers to continue using the Explore feature while taking additional measures to remind customers to avoid publicly sharing Global Positioning System files of sensitive locations".

In addition, the researchers calculated home addresses of a number of soldiers, given the widespread habit to include a fitness tracker, from the comfort of home and turn it off after returning home.

Polar monitors heart rate, location, route, date and time of the training, the information can be shared on the social platform.

According to investigative news site Bellingcat, the company's app is so flawed from a security perspective that it was able to get the home addresses of military personnel using the app with little difficulty.

The app, developed by Finnish software firm Polar, allows anyone to access location maps in order to track users' fitness activities. The two organisations found areas such as a military base, selected an exercise that had been published there, then simply looked at where that same user profile had been.

More news: El Tesoro emitirá mañana hasta 5.000 millones en letras

"We found the names and addresses of personnel at military bases including Guantánamo Bay in Cuba, Erbil in Iraq, Gao in Mali, and bases in Afghanistan, Saudi Arabia, Qatar, Chad, and South Korea".

"With only a few clicks, a high-ranking officer of an airbase known to host nuclear weapons can be found jogging across the compound in the morning", security researcher Foeke Postma said in a blog post Sunday after an investigation with the Dutch news organization De Correspondent. While the signup form shown after installation can be inputted with fake information, most users tend to enter genuine information and might also link the app to one of their social profiles such as Facebook.

Polar shows all the user sessions, starting in 2014 all over the world on one map.

"As always, check your app-permissions, try to anonymize your online presence, and, if you still insist on tracking your activities, start and end sessions in a public space, not at your front door". On Friday, the company issued a statement in which it said that it did not leak users' private information and that there had been no data breach affecting private data.

Given that this would make it spectacularly easy to kidnap these people or even blow them up, it's not surprising that Polar has taken evasive action.

Otros informes por

Discuta este artículo