Keeping Your Mobile Fitness Data Secure

October is National Cyber Security Awareness month. Mobile fitness trackers are a new technology that is all the rage. Learn how to secure your health data and continue to use these useful tools in becoming a healthier you. This is part 10 in a series of blog posts we will be publishing on various topics aimed at educating you on how to stay protected on today’s Internet landscape.

The advancement of technology brings tools that can allow us to track every facet of our daily lives: what we eat, how we sleep, how much we run, and even vital signs like heart rate and blood pressure. On the surface, this kind of data doesn’t seem like it would be very attractive to cybercriminals. GPS allows tracking of your daily activities, which can aid in cyber stalking. How much you run and where can help tailor aggressive advertising – such as when it’s time to buy new running shoes. Personal data that is shared with these devices, such as your name, age and location can also aid criminals in stealing your identity. Collectively, this data paints a much larger picture of the user. The fact that there are wearable devices that are tracking very personal health data and transmitting information via Bluetooth LE or wireless Internet leaves the information they hold vulnerable to cybercriminal activity.

Symantec Security Response experts conducted an in-depth study on wearable health tracking devices and apps and found that there were multiple vulnerabilities with these devices, which hackers could exploit to gain access to your personal information.

How Do These Devices Work?

Wearable devices are essentially data collectors. Worn on the body, usually in the form of a wristband, watch, or a device that can be clipped onto your shoes or bicycle, these devices have contain sensors such as accelerometers and gyroscopes that are used to collect information about your movement and location.  In order to interpret that data, most of these devices connect to mobile apps. The app then crunches the data and analyzes it, storing it on the main device and sometimes transmitting it to the cloud for additional storage. The security for these apps is often weak, and implements poor session management, which lets attackers figure out the user space and pick out personal data that the users are tracking, including sensitive user data such as your name, date of birth, location, age and usernames.

Sometimes, the smartphone itself is the tracking device. Recently, my doctor told me that I needed to exercise more. I have an iPhone 6, and I’ve been utilizing the new Health app to track my movements. Using the built in sensors, it tells me how many steps a day I take and how many flights of stairs I have climbed in a particular day. Our smartphones themselves can use the built in sensors for a multitude of tracking data. Most smartphones have a barometer, accelerator, gyroscope, heart rate sensor, proximity sensor, ambient light sensor and GPS. That’s a lot of information that can be tracked via one device. Some third party apps will track this information as well, and add GPS locations, which will store data that can tell me where I am, when I am there, and how quickly I am getting there. That’s an awful lot of data about my daily habits, and definitely data that I don’t want falling into the wrong hands.

Data Security Concerns

20% of apps transmit user login credentials through clear text (not encrypted), which adds greater risk for users to have their accounts compromised. These fitness and health tracking apps also connect to a large number of domains, which could mean that they are sharing information with multiple advertising networks and research analytics firms for marketing, app performance/testing, and user behavior research purposes. Many of these apps lack a privacy policy, which makes it unclear how personal data will be used once it’s tracked. Additionally, this data can be stolen by mobile malware.
 

Tips To Keep Your Identity Safe With Mobile Apps and Wearables

So, how do you keep your tracked data safe from these kinds of vulnerabilities that our researchers found? They provided some tips to help keep your information private and secure:

1. In order to thwart location stalkers when you’re using a wearable device, make sure that you do not include any personally identifiable information, such as your own name. Think of an alias that motivates you. “HalfTigerHalfUnicorn” is a lot more fun than “Sue Smith” anyway, right?
Additionally, turn off Wi-Fi and Bluetooth when these devices are not being used to transmit data to the app.
2. Mitigate the risk of your password being compromised by choosing a complex password unique for this service. Check out our article on how to create strong passwords if you’re stuck.
Don’t reuse the same password for multiple devices and applications. If a cybercriminal were to gain access to one of these accounts, they could gain access to all of them.
3. Always check the privacy policy of the apps you download to make sure that you know how your data is being used. If there is no privacy policy available for the app, it is strongly encouraged not to download the app, as you will have no idea what data is being collected and how it is being used.
4. When using a mobile phone or tablet to store this data, use a screen lock and password on the device.
5. Be aware of what data the device or app wants to use on your phone. If it seems illogical, such as a running app requesting access to your contacts, deny the permission. 
6. Use caution when using social sharing with these apps. Social sharing features can give away your location and when you were doing your workout. Cybercriminals can use this to track your movements, which could lead to a potential cyberstalking issue. If you choose to share this data on social media, check your security settings on the account and be sure that it is only shared with trusted friends and family.
7. Install app and OS updates as soon as they become available. These updates can help patch newly discovered security holes.

Technology can be an amazing motivator for us to become healthier, happier people. However, as with all forms of digital data, we must be diligent in protecting our privacy. These new tools can be life changing for those that choose to use them. But before diving into this new form of technology, be sure to educate yourself on the risks of using them and how to be smart about the protection of your data.

For more information on this latest study, please visit the Symantec Security Response blog on Symantec Connect.
 

This is part 10 of a series of blogs for National Cyber Security Awareness Month.