Some of the most popular running apps are still lagging behind on security and privacy. That’s the verdict from security researchers who examined the leading running apps five years apart and found only a few apps had improved — and not by much.
Running apps know and learn a lot about you as you use them. Your health data, like your height and weight, are used to calculate how many calories you burn, and your location data can track your workout route from door to door.
But in the wrong hands, this data can identify where you live or where you work. In 2018, Strava said it would simplify its privacy features to allow its users greater control over their data after researchers found Strava app users were inadvertently sharing their workout data and revealing military bases and secret government facilities.
Now, researchers at U.K. cybersecurity firm Pen Test Partners say many of the top apps — Strava, Runkeeper, MapMyRun, Nike Run Club, and Runtastic — still don’t use basic security measures to prevent hackers from breaking in or health and fitness data spilling out.
Only Runtastic had set a more robust password policy over the past five years, while the other apps still allow some of the most basic passwords like “123456” and “password,” the researchers found in their testing. Malicious hackers often automate their attacks by targeting user accounts with known or easy-to-guess passwords. Worse, none of the apps allow users to set up two-factor authentication, a feature that puts an additional barrier in place to prevent malicious hackers from reusing stolen passwords. Data from Google shows even the simplest form of two-factor authentication can prevent most automated password reuse attacks.
We asked each of the app makers why they had not implemented two-factor authentication. None of the companies commented.
The researchers also found that while Runtastic, Nike Run Club, and MapMyRun had improved their privacy controls, Strava had seen “no significant change.”
From their report: “Strava and Runkeeper are configured to publicly share user data by default. It is possible to change these settings in the application, but it takes some time to find them and set them correctly, which is probably not the first consideration for a regular user.”