Runkeeper data leak exposes privacy concerns for avid app users

A controversial data leak involving a popular fitness app represents only the tip of the iceberg when it comes to privacy concerns involving mobile apps, the vice president of a mobile security firm says.

According to Dave Jevans, Proofpoint’s vice president of mobile security, many apps can share who you are, your email address, your physical location, and even your browser history – though for now he says the only app to fall under widespread scrutiny is Runkeeper. The smartphone-based tracking program was recently called out for having a bug that transferred personal data to a third-party advertiser without alerting users – even when the app was not in use.

“Because [Runkeeper is] such a popular app, it has come under fire,” says Jevans. “That does not mean that any less popular apps are any more secure, it just means they haven’t been examined in great detail.”

Runkeeper has claimed that they were unaware of the bug’s presence, while the Norwegian Consumer Council (NCC), a Norwegian watchdog agency, has lodged a formal complaint against advertising firm Kiip.me, and is advocating for the company to delete all of the data that it collected. In response, Runkeeper noted that it was primarily the Android version that was impacted, but promised to release an update for iOS as well.

However, Jevans says that Runkeeper, which was initially launched in 2008 and now has over 40 million users, has had a history of security problems. For example, in 2013 it was possible to access other user accounts without knowing their password on the app. The problem resurfaced again in 2014.

More disconcerting, however, is the fact that the security requirements on the App Store are basically nonexistent and do not mandate a privacy policy, he says.

“We’ve analyzed over 12 million apps on both iPhone and Android,” Jevans says. “About half of them don’t even have a privacy policy.”

In the case of Runkeeper, the app does have a privacy policy in place, and outlines the following:

“The use of online tracking mechanisms by third parties is subject to those third parties’ own privacy policies, and not this privacy policy.”

“The Services also enable third-party tracking mechanisms to collect your other information for use in online interest-based advertising.”

Jevans notes that neither of these are uncommon clauses. Often, by agreeing to the terms of use of one app, a user can inadvertently agree to the privacy policies of a third party site that is connected to the app. He also explains that apps are able to change and update privacy policies without warning.

Unfortunately, there are few precautions that users can take to protect their data once they have installed an app, Jevans says. he describes the market as “buyer beware,” and advises smartphone users to investigate an app thoroughly before agreeing to its terms of use.

Would you recommend this article?

Share

Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.


Jim Love, Chief Content Officer, IT World Canada

Featured Download

Jackie Atkins
Jackie Atkins
Jackie Atkins is a competitive alpine skier, student and aspiring writer who primarily contributes stories about the intersection between technology and sports to ITBusiness.ca.

Related Tech News

Get ITBusiness Delivered

Our experienced team of journalists brings you engaging content targeted to IT professionals and line-of-business executives delivered directly to your inbox.