Strava is one of the most ubiquitous cycling applications. The multitude of continuously updated features has something for everyone and, though many bemoaned the recent shift to a subscriber-centred design, the user-base just keeps growing as more and more people create profiles on the app.
When you create a Strava profile you’re asked to input a lot of personal information. Your photo, name, location, and even your bike model are all visible to other users. Paired with a highly precise map of your local rides, is there a security risk in sharing that information?
Kristina Balaam, a senior security intelligence engineer at Lookout says that publicly sharing maps of your activities isn’t advisable.
“Publicly sharing cycling or running routes is a significant privacy risk,” says Balaam. “A solo runner or cyclist can compromise their safety, especially if they tend to follow a similar route or schedule on a daily or weekly basis. When anyone on the internet can see your routes, it is much easier to be the target of an assault, a bike theft, etc.”
“It’s a risk to share your home location (and even office location),” says Balaam. “With lockdown, so many of us are working from home. If a potential attacker can see where you live and when you tend to leave for your workout, it increases the risk of a burglary or assault.” She notes that many cyclists will share photos of their expensive bikes on social media platforms, which increases their risk of being targeted by would-be bike thieves.
“It’s not difficult to use open-sourced intelligence (OSINT) to piece together information about an individual that could be valuable to an attacker,” she says. Thieves will have an easier time when cyclists post bike photos on Instagram in conjunction with posts of Strava (or other similar app) routes that include their home, office, or any other location where the bike is stored.
In recent years, some cyclists who were victims of theft have claimed their homes were specifically targeted by bike thieves who used Strava to track them, though there’s no easy way to verify the claims.
In response to one high-profile bike theft case in which the cyclist claimed he was tracked using Strava a spokesperson for the app told Wearable.com: “Strava hasn’t seen any verified cases of bicycle theft related to our platform.”
Risk of assault
Unfortunately women are forced to think about what they share publicly on the internet, and Strava is no exception. “The combination of a public Instagram account and publicly shared activities provide would-be stalkers and attackers with a dangerous amount of information about your private life and routines,” says Balaam.
Strava’s privacy measures
Faced with criticism from users, Strava has made some feature changes recently that, Balaam says, make the app safer.
Flybys are no longer default and the information shared on leaderboards has changed. There’s also an added safety barrier called Privacy Zones that operate within a 200m to 1,000m radius of your home address. When Privacy Zones is activated, other Strava users will see your ride beginning and ending at a randomized location within the circle of your ‘Privacy Zone’—not at your house.
“I think Strava has done a lot to empower users with protecting their own data,” says Balaam. “Most of the fitness tracking apps I’ve seen make data visible to other users by default and I’d assume that most people who are using these apps with a social networking component want to share their data – at least some of it. It’s important that the companies responsible for developing these kinds of applications respect our data privacy, but as users it’s important to remember that any information we share with a third party could be compromised. Databases can be breached and attackers are incredibly innovative. There’s always some risk, even with privacy settings turned on.”
Staying safe on Strava
Balaam recommends deactivating Flybys, using Privacy Zones, and making your profile private or limited to friends-only. “[This] makes protecting ourselves much easier, while still interacting with those we know and trust on the platform,” she says. “I think Strava has taken its users’ privacy concerns seriously and these features are a reflection of that.”
She notes that with the right precautions the app is still a valuable training tool and social means of motivation . “As a runner and cyclist, I love Strava,” says Balaam. “But I don’t want random strangers on the internet to know my routes or home or office location. So I default to friends-only activities and am particularly careful with who I accept as a new contact in my network. I only allow connections with people I know in real life or who I know of through friends or family’s running and cycling clubs.”
“It’s unfortunate that we have to be so concerned about this. Activity tracking—especially on sites that include some aspect of social networking—are so great for connecting us with our friends and colleagues and boosting our motivation. I think it’s fine to use these platforms, we just have to be cautious about how the data we share could be used against us.”