Busy getting Kudos on Strava? Well, a new study shows that attackers can get busy finding your home address using the app’s heatmaps feature.
Heatmaps on Strava have been used to locate users’ home addresses, as researchers at North Carolina State University Raleigh discovered using publicly available Strava heatmap data can track and identify home locations.
Strava, the popular fitness-tracking app with over 100 million users worldwide, allows runners, cyclists and hikers to track and record their outdoor activities. The iPhone and Android app can track performance stats and record a route or trail using GPS location data to share with others.
The mobile app offers a heatmap feature that compiles user GPS data anonymously onto a single map to help members discover running, cycling and swimming areas that get the most activity.
Research shows that heatmap data can de-anonymise users’ geographical data, with researchers stating, “we have demonstrated that the home address of highly active users in remote areas can be identified.”
Using Strava’s publicly available heatmap data over one month in three states, Arkansas, Ohio and North Carolina, the researchers used image analysis to show starting and ending locations on streets. This indicates that this location would be a user’s home.
Overlaying OpenStreetMaps, an open geographic database, images on heatmap screenshots and using a zoom level (17.33) to show house-specific data, the researchers could identify addresses.
To locate the individual user, the team used Strava’s search feature to show users who have specified their city on their profile.
“Using the Strava search feature, the attacker has the user name (and even photos of the user), their home city, access to the Strava heatmap, and knows the number of activities the victim user has posted,” the research team state. “Then, using the heatmap data, the attacker could identify interesting points to visit to verify if they found the target individual. Thus, using the heatmap data, the attacker is able to narrow down the search space significantly.”
The NC State University researchers combined the endpoints of Strava heatmaps and user data from Starva’s search feature to narrow down high-level activity points and home addresses on a map, allowing for “de-anonymization attacks.”
Comparing voter registration data with their research, the team deduced the home addresses with a 37.5% accuracy rate. This result is based on the user posting an average number of 308 activities within a 100-metre threshold.
Read the full report for more details about the research.
How can I keep my home address private on Strava?
While the research shows that an attacker can figure out a home address, there are simple ways to keep your identity and home location anonymous on Strava. This method is also complex, but that doesn’t mean attackers won’t abuse it.
It’s worth noting that Strava lets users set up a privacy zone between ⅛ and ⅝ mile (200m-1km) around home and office addresses, allowing further control of hiding your locations.
Users living in highly populated areas, such as cities, that compile a mass amount of heatmap data will have an easier time evading this method of tracking down home addresses, as the amount of heat data tracked makes it difficult to pinpoint an exact location.
However, those living in less densely populated areas are more at risk. With this being the case, setting your Strava account to private is better to avoid being detected. Follow the steps below:
1. In your Strava app, tap the gear icon to open Settings.
2. Select Privacy Controls.
3. Manage who can see your profile. For example, tap Activities and select Only You to make your activities private.
It’s also advised to start and stop your tracking after you’ve left your home location or well away from your home address.