Finland-based fitness giant, Polar accidentally revealed the locations of millions of users including military officers and intelligence agents on its fitness app, Polar Flow. A joint investigation done by Bellingcat and Dutch publication De Correspondent reveals that it is much easier to track user location data on the fitness app when compared to Strava, another controversial fitness app.

This flaw in the fitness tracker app can act as a gold-mine for the data hackers involved in anti-national activities. This is so because the investigation team could precisely disclose the name, picture, and homes of Polar Flow app users residing in secretive locations “such as intelligence agencies, military bases and airfields, nuclear weapons storage sites, and embassies around the world.”

In light of the investigation, the fitness company decided to deactivate the Explore feature in Polar Flow from July 6. “Currently the vast majority of Polar customers maintains the default private profiles and private sessions data settings, and are not affected in any way by this case,” mentioned in the Polar’s statement.

“While the decision to opt-in and share training sessions and GPS location data is the choice and responsibility of the customer, we are aware that potentially sensitive locations are appearing in public data, and have made the decision to temporarily suspend the Explore API.”

Polar Flow fitness app

The investigators could extract the information of individuals exercising at over 200 sensitive sites using Polar Flow.

Easier to Track People on Polar Flow

Compared to the other fitness tracker apps, Polar Flow uses a different interface to record and display the fitness freaks’ information like heart rates, routes, dates, time, duration, and pace of exercises. For tracking data on Starva and Garmin, a user needs to find a particular individual, and then click on a specific fitness regime to get insights on separate cases of his or her sessions. In fact, these fitness apps often restrict the number of exercises that could be tracked.

In contrast, the Polar Flow app discloses all the exercise information of a user on a single map, reports Bellingtcat on its website. So, if you select a site as ‘military base’ in the app and choose any fitness regime, the app would reveal the names of all the users associated with that exercise. Following this, the tracker may tap on an individual’s name and get access to all the information related to him/her available since 2014.

If not all, during the in-depth investigation, the researchers could extract the information of individuals exercising at over 200 sensitive sites including FBI, NSA, North Korean border, Islamic States and others. They could even compile a list of 6,500 unique users staying at these sites.

With such amount of data leak, one cannot imagine the level of risk it imposes on national security and hence calls for a high-level of scrutiny. The US military is already in the process of reviewing its rules for fitness trackers.

“Protect your health, biometrics and financial information,” wrote Secretary of Defense Jim Mattis in a June memo. “The potential consequences of compromised data could be serious, not just for you and your families, but for the readiness and resiliency of this department.”