Fitness apps, by their very nature, have access to a wealth of personal data, especially data that tracks outdoor activities — primarily running. During tracking, they collect a ton of data — heart rate and other physical activity metrics, step count, distance covered, elevation changes, and, of course, geolocation — to give you a detailed analysis of your workout.
And people rarely jog in random locations; their routes usually repeat and are often close to home, work, school, military base… Essentially, places they go to often and, most likely, at regular times. What happens if this information falls into the wrong hands?
The consequences can be catastrophic. For instance, a few years ago, a map published by a certain running app revealed the locations of several secret military facilities. And in the summer of 2023, a hitman allegedly used this data to shoot to death Russian submarine commander Stanislav Rzhitsky during his run.
Of course, the leakage of geolocation data can be dangerous not only for military personnel. It’s easy to imagine scenarios where it could lead to trouble not only for obvious targets — such as celebrities, political figures, or top company executives — but for ordinary people too.
Once they’ve got their hands on your movement data, attackers can readily use it for blackmail and intimidation. If the victim hears that the criminal knows all their movements and where they live, they’re significantly more likely to get scared and comply with any demands.
In addition to direct threats, geolocation info complements perfectly data leaked from other apps, or collected through doxing — making targeted attacks much more potent. Don’t think that you’re not important enough for scammers to prepare a complex attack: anyone can become a victim, and the criminals’ end goal isn’t always financial gain.
But it’s not just geolocation data that running apps collect and analyze. Like all fitness apps, they monitor activity and physical condition, which can reveal a lot about a person’s health. This information can also be used in a social engineering attack — because the more an attacker knows about their victim, the more sophisticated and effective their actions can be.
So, it’s essential to take due care when choosing your running app and setting up its privacy — and our tips will help you do just that.
General tips for choosing a running app and configuring its privacy
The first thing you absolutely shouldn’t do is install every running tracker in existence and then choose the one you like best. This way, you’ll hand over your personal data to everyone, significantly increasing the risk of it falling into the wrong hands. The fewer apps you use, the lower the risk of a data leak — but remember, no company can guarantee 100% data security.
Some companies invest more in the security of their users than others, and preference should be given to those who take data protection and anonymization seriously. To ensure this, carefully read the privacy policy of your chosen app: responsible developers will specify what data the app collects, for what purpose, which data might be shared with third parties, and what rights users have regarding their personal data. It’s also worth searching online or asking an AI assistant if the app you’re interested in has been involved in any data leaks — simply type the app’s name plus “data breaches” or “data leak” into a search engine. And, of course, checking user reviews is also a must.
Once you’ve chosen and installed an app, the next thing to do is configure its privacy settings. Unfortunately, many running apps share collected data — including your geolocation — with the entire internet by default. You’ll find links to detailed instructions on how to set up privacy for the most popular running apps — Strava, Nike Run Club, MapMyRun, adidas Running, and ASICS Runkeeper — at the end of this post.
As with any other app, it’s a good idea to use your smartphone’s operating system features to minimize tracking. For example, on iOS, when you first launch the app, you can block it from tracking your activity in other apps. Don’t ignore this option.
In addition, don’t grant the running app access to data that it doesn’t need to function — such as photos, calls, messages, or contacts. To reduce the amount of location data collected, don’t allow fitness trackers (or most other apps, for that matter) to monitor your geolocation continuously — choose the “Only while using the app” option, available on iOS and the latest versions of Android. You can set this when you first launch the app, or later by reviewing all the app’s permissions in your smartphone’s settings or, for Android devices, in Kaspersky for Android.
In general, it’s a good idea to regularly check your smartphone’s privacy and security settings to see which apps have access to which data.
Keep in mind that privacy settings won’t protect you from being tracked if someone guesses your account password. Unfortunately, none of the most popular running apps currently support two-factor authentication — although they really should. Therefore, the best thing you can do to protect your account is to create a long and complex password — preferably at least 16 characters long. Of course, it should be unique. To ensure you don’t forget this combination of characters, save it in a password manager — which, by the way, can also generate a highly secure random password for you.
Privacy settings for popular running apps
We’ve selected the most popular jogging apps and prepared recommendations on how to set up privacy in each of them. Subscribe to our blog to make sure you don’t miss the instructions for your running tracker. As we publish the privacy setup guides, we’ll be updating this post with the relevant links. The following apps will be covered:
- Strava
- Nike Run Club
- MapMyRun
- adidas Running (formerly Runtastic)
- ASICS Runkeeper
To learn how to set up privacy for other apps — from browsers and social networks to operating systems — visit our website Kaspersky Privacy Checker.