Polar Flow Fitness App Exposes Soldiers, Spies | Privacy

By John P. Mello Jr.

Jul 10, 2018 5:00 AM PT

A well-liked health app supplied a handy map for anybody curious about shadowing government personnel who exercised in secret areas, together with intelligence businesses, navy bases and airfields, nuclear weapons storage websites, and embassies across the world.

The health app, Polar Flow, publicized extra knowledge about its customers in a extra accessible manner than comparable apps “with potentially disastrous results,” found Bellingcat and De Correspondent investigators, who launched the outcomes of their analysis on Sunday.

Polar Flow supplied performance that mixed all of an individual’s train periods on a single map.

“Polar is not only revealing the heart rates, routes, dates, time, duration and pace of exercises carried out by individuals at military sites, but also revealing the same information from what are likely their homes as well,” states the report.

Tracing all of that data was quite simple via the location, the investigators famous. Find a navy base, choose an train printed there to establish the hooked up profile, and see the place else a person has exercised.

“As people tend to turn their fitness trackers on/off when leaving or entering their homes, they unwittingly mark their houses on the map,” the report notes.

Goldmine of Intelligence

Through the Polar stream app and public data, reminiscent of social media profiles, Bellingcat and De Correspondent recognized quite a few individuals working in delicate positions, together with the next:

  • Military personnel exercising at bases identified, or strongly suspected, to host nuclear weapons;
  • Persons working on the FBI and NSA;
  • Military personnel specializing in cybersecurity, IT, missile protection, intelligence and different delicate domains;
  • Persons serving on submarines, exercising at submarine bases;
  • Individuals each from administration and safety working at nuclear energy crops;
  • Russian troopers in Crimea; and
  • Military personnel at Guantanamo Bay.

API Shutdown

In response to the Bellingcat and De Correspondent findings, Polar Flow briefly suspended an API at a web site that uncovered a wealthy vein of consumer data.

Polar emphasised that it had not leaked any knowledge and that there had been no breach of personal knowledge.

The overwhelming majority of its prospects maintained the default personal profile and session settings, the company mentioned, and weren’t affected by the problems described within the report.

Sharing coaching session and GPS location knowledge is an opt-in buyer selection, Polar mentioned.

Still, as a result of doubtlessly delicate areas have been showing in public knowledge, the company determined to droop its Explore API briefly.

Users should assume a number of the burden of defending their knowledge, mentioned Corey Milligan, a senior risk intelligence analyst at

“Users need to be aware of the kind of data they’re putting out there,” he instructed TechNewsWorld. “Any data you put out there, whether it’s on Facebook or on an app like this, you need to utilize the security mechanisms that are in place for the application itself, at the very least.”

Consumers Need to Push Security

Initial configurations for a lot of apps can current an issue for customers, particularly these with a minimal curiosity in safety.

“The default on these things is to share information,” mentioned Willy Leichter, vice president of selling at

“If you allow it to share your location, it’s almost never clear where that information is going,” he instructed TechNewsWorld.

“Once it gets to the app’s server, companies seem to be comfortable sharing it or being creative with it,” Leichter identified. “That’s going to change in Europe with the GDPR (General Data Protection Regulation),” he mentioned. “There’s going to be a lot of lawsuits around things like this because you can no longer share information about people without their explicit permission.”

“GDPR is going to make some pretty profound changes come about, especially if the U.S. adopts some kind of GDPR-like regulation to protect data,” added Armor’s Milligan.

Consumers can shield what apps do with their knowledge in one other manner, steered Parham Eftekhari, government director of the
Institute for Critical Infrastructure Technology.

“One of the most important things consumers need to do, which no one is speaking about, is start to be vocal with app developers and ask questions about security so that developers understand that security is important and a factor in the buying process,” he instructed TechNewsWorld.

“When companies start to tie revenue to security, it will become a bigger priority,” mentioned Eftekhari, “and that process will happen more quickly when consumers begin to speak up in greater numbers during the sales process.”

A Familiar Problem

Polar Flow is not alone in revealing delicate details about troopers and spies. Nathan Ruser, an Australian pupil learning worldwide safety and the Middle East, earlier this yr defined how fitness-tracking app Strava may very well be used to establish the situation of Australian navy bases and personnel routines.

Information leakage via cellular gadgets is not a brand new downside for the navy, both.

“Mobile devices, given their promise of mobility with rich functionality, are being deployed with broadening use cases throughout the United States Department of Defense,” Jason L. Brooks and Jason A. Goss wrote in a paper for the U.S. Naval Postgraduate School again in 2013.

“All the while, massive quantities of information are stored and accessed by these devices without there being a comprehensive and specialized security policy dedicated to protecting that information,” they added.

The navy subsequently adopted rules governing using cellphones and tablets, together with a prohibition on bringing private digital gadgets into delicate areas.

John P. Mello Jr. has been an ECT News Network reporter
since 2003. His areas of focus embrace cybersecurity, IT points, privateness, e-commerce, social media, synthetic intelligence, massive knowledge and client electronics. He has written and edited for quite a few publications, together with the Boston Business Journal, the
Boston Phoenix, Megapixel.Net and Government
Security News
. Email John.


Tech News


Show More

Related Articles