Strava heatmap loophole may reveal users’ home addresses

Researchers at NC State University have outlined potential privacy issues with popular fitness app Strava which could lead to users’ homes being pinpointed. The researchers’ findings are detailed in a paper called Heat marks the spot: de-anonymising users’ geographical data on the Strava heat map

Strava, used by more than 100 million people, includes features you’d commonly see in this kind of product like heart rate, GPS data, and so on. Users can build up a picture of their health related activities over time and make informed decisions based on the findings of the service. 

The mobile tracking app is designed to track exercise activity, but it also includes a social component, allowing users to connect with each other. The primary concern of researchers focused on the heat map feature, which aggregates user data and allows you to see how many people are doing forms of exercise in various locations.

Although there are attempts to anonymise user data, the study highlighted ways in which some personal information—including home address—could be found. Researchers claim they found a “loophole” to ignore the anonymity of aggregated heatmap data. From their post:

Specifically, the researchers found it is possible for anyone to look up all of the Strava users in a given area. It is also possible for users to look at the aggregate data on a heatmap and see where each of the anonymous users’ routes begin and end.

In a densely populated area, with lots of routes and lots of users, there is so much data that it would be extremely difficult to track any specific person,” Das says. “However, in areas where there are few users and/or few routes, it becomes a simple process of elimination – particularly if the person someone is looking for is a highly active Strava user. Even users who have marked their accounts as private show up when anyone searches for a list of all the users in a given municipality, so marking an account private doesn’t necessarily provide additional protection against this tracking technique.

Strava told the researchers that heat map data isn’t shared unless several users are active in any given area, but the researchers still managed to identify the home addresses of some users via the heatmap. These locations were confirmed using voter registration data. Note that depending on which country you live in, voter data may not be available to use in this manner (or even be available in the first place).

While this may all sound very straightforward to do, the actual process involved is fairly involved. As Bleeping Computer highlights, the process is as follows:

  • Collect data on your chosen location for a period of roughly a month.
  • Overlay OpenStreetMaps (an open geographic database maintained by volunteers) at a zoom level which allows for singling out residence addresses.
  • Compare heatmap endpoints and user data accessible from search to establish connections between “high activity points” and home addresses.

This, combined with public profiles displaying real names, photographs, and data related to specific activities means that singling out certain users was achievable. A word of caution: the success rate for this kind of needle in a haystack activity is not fantastic. The study mentions that more active users will be potentially easier to track down, but for “average” users of the app the likelihood of being discovered is 37.5%.

The paper highlights a few of the ways Strava users can reduce the possibility of falling victim to this attack, but a lot depends on the app developers implementing them or the randomness of your personal circumstances. For example, living in a heavily populated area will go a long way toward blending you into the crowd.

Another is large exclusion zones around your home area, to make it impossible to figure out which specific location you’re exiting and entering. You can set your Strava profile to private, and also disable the heatmap feature if you don’t need any of the social features available to you. If you use another form of fitness tracking app, this is the ideal moment to see what data you may be sharing and lock down as needed.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.


Christopher Boyd

Former Director of Research at FaceTime Security Labs. He has a very particular set of skills. Skills that make him a nightmare for threats like you.