How to Guard Your Privacy in Fitness Apps and Devices

Getting in shape shouldn’t mean giving away sensitive information

If you’re starting this year with a vow for better health, you’re not alone. According to a 2023 survey from Forbes Health, 48% of people said improving fitness is a top priority—making it the number one new year’s resolution. And if you’re planning to use fitness apps or devices to help achieve your goal, you’ve really got company. Last year, fitness apps had 368 million users and more than 850 million downloads.

While fitness-tracking apps and devices can make workouts more fun and productive, they can also carry risks to your privacy and identity. Many of these apps allow outside entities to collect your personal information for business purposes, including data broker sites that sell people’s information to marketers and other parties. Through location-sharing features and public profile settings, these apps can even give stalkers or other malicious actors an opportunity to track and target you in the real world.

Two of the biggest names in the fitness tech industry are currently facing scrutiny over their alleged shortcomings in protecting user privacy. Here’s a breakdown of those privacy concerns, along with advice on how to keep your personal data protected.

The risks of Strava location sharing

We’ve written before about the potential privacy and security vulnerabilities of Strava, a leading fitness-tracking app. Researchers have found that Strava users, especially those who live in less-populated areas, could have their exact location pinpointed by stalkers or other bad actors through the app’s “heatmap” feature, which reveals popular routes taken by Strava runners and cyclists in the area.

Now the issue has gone international. The French newspaper Le Monde has reported that the movements and locations of world leaders can be potentially exposed due to the fact that some of their bodyguards have publicly visible Strava accounts. As part of the investigation, the newspaper observed the “heatmap” routes of various bodyguards, particularly those near meeting venues and other private locations. Reviewing the patterns of these movements, Le Monde was able to determine the whereabouts of political leaders at specific times—information that could pose a security threat. The report is yet another demonstration of the risks involved in allowing a fitness app to reveal your movements to other users.

Peloton security and privacy risks

Meanwhile, for anyone planning to use Peloton fitness equipment as part of their health journey this year, be aware that the parent company, Peloton Interactive Inc., faces some questions about device security and user privacy.

According to Security Week, an analysis has found that Peloton fitness equipment “is plagued with numerous security issues that could allow attackers to obtain device information or deploy malware.” The issue stems mainly from the fact that the Internet-connected Peloton treadmill uses an outdated version of the Android operating system, which has not been updated to fix critical security flaws. Additionally, attackers who have physical access to the treadmill could exploit the system’s vulnerabilities for malicious purposes like stealing personal data or launching a ransomware attack.

Peloton also faces a class-action lawsuit over claims it violated the anti-wiretapping California Invasion of Privacy Act (CIPA). Peloton is accused of recording online chat conversations between users and Peloton representatives on the company’s website, and turning over this data to a third party—an AI-focused marketing firm—without seeking user permission.

Tips for staying safe while getting fit

Here are some practical ways you can improve your privacy while limiting the personal information you provide to fitness apps and devices.

• Always read the fine print in the privacy policy of any app or connected device. Look particularly for information on data sharing with third parties. If you’re not comfortable with how freely the company gives away your data, opt out of data sharing.

• Install a virtual private network (VPN), such as SafeWiFi from IDX, on your Internet router. This encrypts the connection on devices like your phone and Wi-Fi-enabled fitness equipment, preventing bad actors from discovering your identity, online activity, or location.

• Stay semi-anonymous. Don’t assist bad actors in their search for your location or identity. Avoid doing things like revealing your full name in your account username, listing your hometown in your profile, or uploading personal photos.

• Don’t put off software updates. Your devices should be kept current with the latest available software updates, as these usually contain critical patches for the latest security issues. Make things easy by turning on automatic updates.

• Get strict with the settings. Go into the privacy settings of your fitness app or device. Opt out of any “aggregated data usage” feature, limit location-sharing permissions, and make sure your full profile is visible only to your trusted circle.

Regardless of your new year’s resolutions, your privacy and identity deserve maximum protection. Consider a comprehensive coverage plan like IDX Complete, which offers a wide selection of protective tools and services including the SafeWiFi VPN, 24/7 credit monitoring, automatic personal data removal, and a blocker that prevents your data from being tracked across the web.