Cloud Security Solutions Provider Armor Warns that Consumers Must Take Part in Securing their Personal Data

July 26, 2018

Recently news broke that security researchers had discovered a flaw in a popular fitness tracker app called Polar Flow,  which could potentially expose personal data about the fitness application’s users, if the users’ opted to share their training sessions and their GPS location data.  The security researchers reported that many of the application’s users included military personnel and government intelligence officers, and the application could be queried to reveal a user’s name and home locale, including those living and exercising near secretive locations “such as intelligence agencies, military bases and airfields, nuclear weapons storage sites, and embassies around the world.”

Upon learning about this flaw, Polar, the makers of the Polar Flow application, reportedly shut down its “Explore API” temporarily, the component which was said to have  enabled security researchers to access the user information.

This is the second fitness application to make headlines this year. In January, it was revealed that Strava, another popular application for tracking activity and exercise, released an “anonymized” heatmap of all of its global data in November 2017.  This inadvertently exposed U.S. secret facilities and military bases in little-known locations in war zones, because soldiers and staff had uploaded their fitness tracking data to Strava.

On the heels of this, Corey Milligan, a Sr. Security Researcher with Armor’s Threat Research Unit (TRU) team and a former 18-year cybersecurity veteran with the Department of Defense (DOD), stated,  “Yes, the General Data Protection Regulations (GDPR) which went live in the EU in May (giving each EU member country the power to fine organizations located within their country who are not complying with the GDPR regulations, up to $26 million USD or 4% of the business’ global revenue, whichever is highest)  will go a long way in helping protect the personal data of those residing in the EU.  And if GDPR- type regulations get adopted across the U.S., like they have in California, then certainly consumers in the U.S. will see more protection for their data”  “However, consumers must do their part in securing their personal data,” continued Milligan.

Milligan advises the following security steps: 

  • Consider Submitting Anonymized Profile Data— Many applications are designed to share a participants’ data, even when their apparent function doesn’t seem to require it. In most cases, especially with regard to mobile apps, users will be notified just prior to installation about what sort of data the app requires access to. These notifications should be carefully reviewed before one gives their consent to continue installation.  Users should consider the risk that their data could potentially be shared, leaked, or even sold based on the agreements they accept when choosing to download, install and use an app.

After taking all of this into consideration, if one does choose to use an application, but does not want to risk exposing their personal information, there are steps they can take to keep their personal data private. First, ensure that the app is not tied to your social media or email account. Apps will often offer you the “convenience” of logging in using an existing social media or email account, i.e. Gmail. Allowing this can inadvertently give the app access to these accounts, and while the intent of the app is likely to enable features that require these integrations, it creates opportunities that can be exploited by threat actors to get access to your personal data.

This first step is easier said than done, considering that most apps will require you to at least provide an email address in your profile for account management functions, i.e. password reset. Additionally, they will likely want you to provide a name and maybe even an address for your profile. In this case, one may consider providing anonymous profile data. There are a couple of ways to do this. The less risky and complicated route is to create a new email account, pick your provider, and this email account   will only be used for  situations like this,  where you don’t want to expose the email addresses that you use for work or personal communications. Then you can simply use your imagination to come up with fake personal information to fill out the rest of the profile.

For the thrill seekers, there are services available to use at your own risk that will generate a fake profile for you, including a fake name, address, zip code, mother’s maiden name, first five of social security number, phone number, birth date, email address, etc. If you want to test the waters, a search for “fake profile” in your favorite search engine should get you there.

  • Turn Off Location Services for Unnecessary Apps—All of your efforts to hide behind fake profile data can be undone by sharing your location through an app. As mentioned before, most apps will tell you at installation what kind of data they require access to, including location data. Users should seriously consider whether or not they really want to have location services enabled for their apps. For those that may not have noticed what data an app uses when they installed it, your mobile device setting should give you an option to see which apps are using location data and give you the option to turn it off or at least limit it. Again, a search for “location services on” followed by the name of your device in your favorite search engine should get you the instructions you need.
  • Limit the type of Personal and Business Information You are Publishing on Social Media Sites—Consumers should carefully assess the amount of personal and business information they are sharing via social media channels, such as LinkedIn, Facebook, Twitter, etc. This is especially true for those persons working in organizations which are potential targets for threat actors involved in financial cybercrime, cyber espionage or hacktivism.  No matter your occupation, one should always limit the amount of information you are sharing about your day- to-day job duties, the systems you are working with, you and your colleagues’ travel schedule, home address, phone numbers, family members’ names, especially your Mother’s maiden name, etc.  By sharing too much information, you take the chance of putting you and your family at risk, as well as your employer’s business.  As seen in case after case, threat actors are continually monitoring social media sites looking for personal and business data they can use in their nefarious cyber scams.
  • Maintain Work Activity and Work Information on Work Devices and Personal Activity and Personal Information on Personal Devices When Possible— Whenever possible, it is best to use one’s work devices for doing one’s work and for accessing work information. The same goes for when doing personal activity and accessing personal information, it is best to use one’s personal devices.  This way, a user lowers the risk that they will accidently introduce  malware into one’s business environment and vice versa.  Additionally, most businesses, no matter what industry they are in, should be following security protections which require its employees to go through additional layers of security to access their business’ network, such as two-factor authentication, a Virtual Private Network, etc.