Another fitness app has been caught revealing sensitive government employee location data

Over the years, Android and the third-party apps that run on it have found ingenious uses for our location data, including Find My Device, fall detection with wearables, and most importantly, fitness tracking. All the good fitness tracking apps require your precise location data to work. Google has built Android 13 around location data privacy to prevent misuse, but we are now learning of a popular hiking tracker app, AllTrails, potentially revealing the physical location of an important US government official.

If you aren't familiar, AllTrails is just like Strava, aimed at hikers, cyclists, and runners, fusing the benefits of activity and location tracking with social media elements. Reminiscent of the 2018 Strava heat map fiasco which accidentally revealed the location of secret US military installations, a security researcher identified as Wojciech told Motherboard that AllTrails has a similar problem. Since anyone can see AllTrails user activity like trails visited and routes taken, the app accidentally revealed the confidential whereabouts of a senior but unnamed official in the Biden administration.

The researcher successfully matched the publicly visible AllTrails location data with known travels and movement of President Biden's staff to find out the compromised official's identity. AllTrails data also helped Motherboard find the home registered to the official's family since it was a frequent starting and ending point for movement. The official in question wasn't named, but Motherboard verified they were the AllTrails user by trying to create an account with their personal email address. The app showed an error stating an account is already linked to that email address.

The sheer volume and ease of access to actionable information gathered about this civil servant through publicly accessible AllTrails Data is staggering. The researcher doesn't have malicious intentions, but perhaps the official would be safer if they turned off location access for AllTrails after every trip. This incident only reiterates the importance of control over your location data, and how you're partly responsible for preventing its misuse. The gravity of the resulting security situation is far greater if you're a celebrity, government official, or person of interest.

Thankfully, Android is built with location privacy in mind, allowing you to limit when apps have location access and how much access they have. Android 14 wants to make things even better, but for now, you can grant only approximate location access if necessary. Further, select the duration of access carefully — just once, only when the app is running, or never at all. To revoke existing permissions granted to apps, just head into Settings > Security & privacy > Privacy > Permission manager > Location. After all, you're sharing location data with apps like AllTrails voluntarily.

Conclusion on Another fitness app has been caught revealing sensitive government employee location data

If you have any query let me know in comment section.

Post a Comment