Man running on city street using Strava

Heatmaps on Strava have been used to locate users’ home addresses, as researchers at North Carolina State University Raleigh discovered using publicly available Strava heatmap data can track and identify home locations.

Strava, the popular fitness-tracking app with over 100 million users worldwide, allows runners, cyclists and hikers to track and record their outdoor activities. The iPhone and Android app can track performance stats and record a route or trail using GPS location data to share with others.

The mobile app offers a heatmap feature that compiles user GPS data anonymously onto a single map to help members discover running, cycling and swimming areas that get the most activity.

Research shows that heatmap data can de-anonymise users’ geographical data, with researchers stating, “we have demonstrated that the home address of highly active users in remote areas can be identified.”

Using Strava’s publicly available heatmap data over one month in three states, Arkansas, Ohio and North Carolina, the researchers used image analysis to show starting and ending locations on streets. This indicates that this location would be a user’s home.

Overlaying OpenStreetMaps, an open geographic database, images on heatmap screenshots and using a zoom level (17.33) to show house-specific data, the researchers could identify addresses.

To locate the individual user, the team used Strava’s search feature to show users who have specified their city on their profile.

“Using the Strava search feature, the attacker has the user name (and even photos of the user), their home city, access to the Strava heatmap, and knows the number of activities the victim user has posted,” the research team state. “Then, using the heatmap data, the attacker could identify interesting points to visit to verify if they found the target individual. Thus, using the heatmap data, the attacker is able to narrow down the search space significantly.”

Strava Heatmap Home Address Location
Attacker using Strava heatmap feature visualisation via anupamdas.org

The NC State University researchers combined the endpoints of Strava heatmaps and user data from Starva’s search feature to narrow down high-level activity points and home addresses on a map, allowing for “de-anonymization attacks.”

Comparing voter registration data with their research, the team deduced the home addresses with a 37.5% accuracy rate. This result is based on the user posting an average number of 308 activities within a 100-metre threshold.

Strava Heatmap Data Correlation Graph
Graph showcasing correlation between number of activities and likelihood of being discovered via anupamdas.org

Read the full report for more details about the research.

How can I keep my home address private on Strava?

While the research shows that an attacker can figure out a home address, there are simple ways to keep your identity and home location anonymous on Strava. This method is also complex, but that doesn’t mean attackers won’t abuse it.

It’s worth noting that Strava lets users set up a privacy zone between ⅛ and ⅝ mile (200m-1km) around home and office addresses, allowing further control of hiding your locations.

Users living in highly populated areas, such as cities, that compile a mass amount of heatmap data will have an easier time evading this method of tracking down home addresses, as the amount of heat data tracked makes it difficult to pinpoint an exact location.

However, those living in less densely populated areas are more at risk. With this being the case, setting your Strava account to private is better to avoid being detected. Follow the steps below:

1. In your Strava app, tap the gear icon to open Settings.

2. Select Privacy Controls.

3. Manage who can see your profile. For example, tap Activities and select Only You to make your activities private.

Strava app Privacy Control Settings

It’s also advised to start and stop your tracking after you’ve left your home location or well away from your home address.

Looking for more ways to stay anonymous online? Your best bet is to use the best VPNs so that no one can track you. Wondering if streaming with a VPN is legal? We’ve got you covered.

Darragh Murphy
Darragh Murphy is fascinated by all things bizarre, which usually leads to assorted coverage varying from the mischievous world of online security to washing machines designed for earbuds. Whether it's connecting Scar from The Lion King to two-factor authentication or turning his love for laptops into a fabricated rap battle from 8 Mile, he believes there’s always a quirky spin to be made. When he's not checking out the latest devices and all things tech, he can be found swimming laps, watching terrible shark movies, and trying to find time to game.  Previous Editor at Laptop Mag and News Editor at Time Out Dubai, specialising in food culture, nightlife events, gaming, tech and entertainment.

LEAVE A REPLY

Please enter your comment!
Please enter your name here