Strava Fitness App Can Reveal Military Sites, Analysts Say

A fitness app that posts a map of its users’ activity has unwittingly revealed the locations and habits of military bases and personnel, including those of U.S. forces in Iraq and Syria, security analysts say.

The app, Strava, which calls itself “the social network for athletes,” allows millions of users to time and map their workouts and to post them online for friends to see, and it can track their movements at other times. The app is especially popular with young people who are serious about fitness, which describes many service members.

Since November, the company has published a global “heat map” showing the movements of people who have made their posts public. In the last few days, after the app’s oversharing was identified on Twitter by a 20-year-old Australian university student, security analysts have started to take note of that data, and some have argued that the map represents a security breach.

Strava “is sitting on a ton of data that most intelligence entities would literally kill to acquire,” Jeffrey Lewis of the Middlebury Institute of International Studies at Monterey, California, warned on Twitter.

Some analysts have taken to social media to warn that, although the map does not name the people who traced its squiggles and lines, individual users can easily be tracked by cross-referencing their Strava data with other social media use. That could put individual members of the military at risk, even when they are not in war zones.

The outlines of known military bases around the world are clearly visible on the map, especially in countries like Afghanistan, Iraq and Syria, where few locals own exercise tracking devices. In those places, the heat signatures on U.S. bases are set against vast dark spaces. Tobias Schneider, a security analyst, wrote on Twitter that “known Coalition (i.e. US) bases light up the night.”

In Afghanistan, for instance, two of the largest coalition bases in the country — Bagram Airfield, north of Kabul; and Kandahar Airfield, in southern Afghanistan — can easily be picked out. The same is true for smaller bases around the country whose existence has long been public.

But there also appear to be other airstrips and base-like shapes in places where neither the U.S.-led military forces nor the CIA are known to have personnel stations.

Perhaps more problematic for the military are the thin lines that appear to connect bases. Those lines seem likely trace the roads or other routes most commonly used by U.S. forces when traveling between locations, and their exposure could leave troops open to attack when they are most vulnerable.

The Pentagon did not directly address whether the heat map had revealed any sensitive location data. But Maj. Audricia Harris, a Pentagon spokeswoman, said that the Defense Department recommends that all its personnel limit their public social media profiles and that it was reviewing the situation.

“Recent data releases emphasize the need for situational awareness when members of the military share personal information,” Harris said. The Pentagon “takes matters like these very seriously and is reviewing the situation to determine if any additional training or guidance is required,” the major added.

The CIA declined to comment.

The threat also extends to countries where the app is more popular. Lewis of the Middlebury Institute wrote in The Daily Beast that the pattern of movements clearly showed the location of Taiwan’s supposedly secret missile command center.

Strava is not the first program to collect far more information, including location data, than users realize, nor is it the first to make some of that information available to prying eyes, intentionally or not.

Researchers at Kyoto University revealed in 2016 that they could find the precise locations of people who used popular dating sites, even when the users took steps to disguise that information. Last year, data was found online that would allow anyone to track more than half a million cars with GPS devices.

But the Strava app, which works with wearable technology, goes even further in tracing people’s location with precision and sharing that information with the world. The map’s settings show the extent to which routes are traveled, and whether on foot, by bicycle or in a vehicle.

Strava, which is based in San Francisco, claims tens of millions of users, in almost every country. The app can be used on Apple and Android phones, and wearable activity trackers like Fitbit devices, the Apple watch, and Garmin and Suunto sports watches.

The company released a statement Sunday noting that the app has privacy settings that can exclude users from the map and hide their activities from the general public. It urged people to read a blog post from last year about how to use those settings.

The map “excludes activities that have been marked as private and user-defined privacy zones,” the company said. “We are committed to helping people better understand our settings to give them control over what they share.”