Strava, a fitness tracking app, recently released its Global Heatmap which exposed the fitness routes of U.S. soldiers in sensitive locations. What should organizations do to protect themselves against this kind of exposure? Can geolocation data like this somehow be blocked?
A top priority of the U.S. Department of Defense should be to periodically review its GPS policy, and it should focus on limiting the use of fitness trackers in sensitive locations overseas. Soldiers and Army personnel should be educated on preventing the exposure of their fitness data and routes to the Strava Inc. Global Heatmap that anyone can view.
Training on the use of fitness trackers should include how anonymity can be removed from the Strava Global Heatmap to identify soldier fitness, patrol and supply routes. Enemies could use the data to plan surprise attacks against "secret" military bases and outposts. With some changes to the data for demonstration purposes, the routes of U.S. military bases in Afghanistan and Syria serve as an example of this process.
Soldiers should also be trained on how to remotely clear data collected on lost or stolen fitness trackers. Likewise, all data on a smartphone should be encrypted to make it more difficult for enemies and hackers to bypass user authentication credentials. In order to remotely clear data on a lost smartphone, the user should have a laptop or another smartphone immediately available. On the other hand, sensitive data should never be stored on a microSD card as it cannot be remotely cleared.
In order to avoid this type of incident in the future, Strava simplified its procedure for opting out of geolocation data sharing, moved their privacy mode to the first page and recommended disabling location services.
Ask the expert:
Want to ask Judith Myerson a question about security? Submit your question nowvia email. (All questions are anonymous.)
Dig Deeper on Mobile application security best practices
Related Q&A from Judith Myerson
The Constrained Application Protocol underpins IoT networks. But the protocol could allow a threat actor to launch an attack. Continue Reading
Dutch researchers discovered flaws in ATA security and TCG Opal affecting self-encrypting drives. What steps can you take to guard data stored on ... Continue Reading
The Signal Desktop application was found to be making decryption keys available in plaintext. Learn how the SQLite database and plaintext passwords ... Continue Reading