Another fitness app was caught revealing the location data of sensitive government employees
Over the years, Android and the third-party apps that run on it have found ingenious uses for our location data, including Find My Device, fall detection with wearables, and most importantly, fitness tracking. All good fitness tracking apps need accurate location data to work. Google built location data protection into Android 13 to prevent abuse, but now we’re learning about a popular trail-tracking app called AllTrails that may reveal the physical location of an important US government official.
If you don’t already know, AllTrails is like Strava for hikers, cyclists and runners, combining the benefits of activity and location tracking with social media elements. Recalling the 2018 Strava heatmap debacle that accidentally revealed the location of secret US military facilities, a security researcher identified as Wojciech told Motherboard that AllTrails is facing a similar problem. Because anyone can see AllTrails user activity, such as routes visited and routes taken, the app accidentally revealed the confidential location of a senior, but unnamed, official in the Biden administration.
The researcher successfully matched publicly visible AllTrails location data with the known travel and movements of President Biden’s staff to discover the identity of the compromised official. The AllTrails data also helped the motherboard locate the home registered to the official’s family, as this was a common starting and ending point for movement. The official in question was not named, but Motherboard confirmed they were the AllTrails user when he tried to create an account with his personal email address. The app gives an error that an account is already linked to the email address.
The amount and ease of access to actionable information gathered about a public official through the publicly available AllTrails data is staggering. The researcher has no malicious intent, but perhaps the official would be safer if he turned off AllTrails location access after each trip. This incident just reiterates the importance of having control over your location data and that you are partly responsible for preventing data misuse. The severity of the security situation is much greater if you are a celebrity, government official or person of interest.
Fortunately, Android is built with location data protection in mind, allowing you to limit when apps can access your location and how much access they have. Android 14 wants to make things even better, but for now it can only provide approximate location access if needed. Also, choose the duration of access carefully – just once, only when the application is running, or never. To revoke existing permissions to apps, simply sign in Settings > Security and privacy > Private life > License manager > Location. After all, you voluntarily share your location data with apps like AllTrails.