Fitness app Polar Flow, exposed sensitive locations and home addresses

Adjust Comment Print

Polar is the manufacturer of such popular running watches as the Polar M200 and M400, as well as fitness-oriented smart watches like the Polar M430 and M600, while its Polar Flow app is used to organize and view user data. The number of fitness trackers on the market, from Strava and Runkeeper to many others, suggests that the answer is no. So, if you select a site as "military base" in the app and choose any fitness regime, the app would reveal the names of all the users associated with that exercise.

Polar has temporarily suspended a feature on its Flow platform, after it was revealed the app's privacy settings allowed for access to potentially sensitive information of some of its users.

The investigation found detailed personal information, including home addresses, of military personnel, persons serving on submarines, Americans in the Green Zone in Baghdad and Russian soldiers in Crimea, the researchers said.

We can find Western military personnel in Afghanistan through the Polar site.

Overall, Potsma and Bellingcat (along with Dutch journalism platform De Correspondent) were able to compile a list of approximately 6,500 unique users from Polar's site, with their exercise logs openly displaying the places they "work, live, and go on vacation".

"By showing all the sessions of an individual combined onto a single map, Polar is not only revealing the heart rates, routes, dates, time, duration, and pace of exercises carried out by individuals at military sites, but also revealing the same information from what are likely their homes as well", explained Bellingcat.

The investigation found the names and addresses of personnel from multiple intelligence agencies including the NSA, US Secret Services, and MI6. "We also learned the names and addresses of personnel at nuclear storage facilities, maximum security prisons, military airports where nuclear weapons are stored, and drone bases", the De Correspondent reporters noted.

The researchers shared their research with national defense departments around the world, intelligence agencies, Polar and other app makers.

Polar ultimately chose to disable the map on its website, preventing others from recreating this research.

The research shows that Polar publicizes more data per user in a more accessible way, with potentially disastrous results. But these default settings were only introduced in August 2017.

While noting that users have always had the option of making their profiles private, Polar responded to the report by shutting Explore.

As part of its response, Polar seems to have shut down its Explore API for the time being and has promised to "raise the level of privacy protection and heighten the awareness of good personal practices when it comes to sharing Global Positioning System location data". And you can see where those runs start and stop. It's also odd that Polar didn't learn from Strava's mistake.