It has come to our attention that the Polar fitness app is accidentally divulging the locations of users, including members of the United States military. This is the second time in the past six months that a well-known fitness app has been criticized for making public information that could be used for bad things.
These findings are based on an in-depth investigation that was conducted by the Dutch publication De Correspondent and the open-source research website Bellingcat. This shows that the Explore feature in the Polar Flow app can be used to show “the homes and lives of people exercising in secretive locations,” like intelligence agencies, military bases and airfields, nuclear weapons storage sites, and embassies all over the world.
Although, to the best of our knowledge, there has not been an actual breach of the agreement, the findings of the joint inquiry indicate that this is a possibility. In fact, researchers were able to find the names, addresses, and other information about about 6,500 customers of the website from 69 different countries.
Since 2014, the Explore option has been available, and now thousands of athletes make use of it on a daily basis. This demonstrates, for instance, well-traveled paths for jogging and cycling. beneficial, but if a soldier is using them while working out in the vicinity of a military installation, this could be troublesome! Equally scary is the thought that people with bad intentions could use the free data set that Polar gives away to target innocent bystanders.
A military installation in Africa keeps track of its training progress | Image source: bellingcat
The renowned workout app Strava has already struggled with the same problems about six months ago. Its heatmap inadvertently mapped places that should have been kept secret. This includes delicate US military installations in countries like Iraq, Syria, and Afghanistan. It would appear that soldiers who were out and about jogging used the Strava program on their fitness trackers, such as Fitbits and Garmins, while they were doing so.
Polar moved quickly to address the issue and has temporarily disabled the Explore function until it can be fixed. A statement from the corporation was released in which it addressed the security flaw. According to the statement, it is important to know that Polar has not given out any information and that no private information has been leaked.
At present time, the overwhelming majority of Polar clients keep the default settings for their private profiles and private session data, and as a result, they are in no way impacted by this instance. We are aware that potentially sensitive locations are appearing in public data, and as a result, we have decided to temporarily suspend the Explore API. We have decided to temporarily stop using the API, even though it is the customer’s choice and responsibility to opt-in and share training sessions and GPS location data.
This basically means that users have the choice to mark their data as private within the app by going to the user profile page and selecting the appropriate option there. If you set it to private, the service won’t be able to share any information with other apps, including Facebook, unless you change the setting. Despite this, Polar is investigating several ways to improve the level of confidentiality.