Archive for July, 2013

Strava “API” and privacy leaks.

Monday, July 8th, 2013

I previously had some pages which used the Strava API to do useful things for me, the one I used most was seeing who rode climbs together, it simply used the API to see everyone who rode a segment and then tracked their start times so you could see who was riding with who. It was also really useful to see changes in time between groups in a race. ie the break started a lap 2 minutes ahead and then next lap only 1 minute.

Strava killed their previous API though, and despite an initial promise from them for me to have access to their new API if I agreed to remove their embarrasing GPX export service which revealed the private zones of peoples rides, I never got access, they just stopped emailing. (The privacy flaw was in their export, not in anything I did…).

I’m stuck here now without access to the useful features, so I’ve started looking for a replacement. I don’t have access to their new APIs, and in fact I don’t think I’d bother investing the time in them anyway, once bitten… But I started looking at the services they use to populate the pages themselves. An immediate thing hits me, their page API allows access to private activities.

Accessing private activities

Here’s a private run of mine, you won’t be able to see it, however here’s a JSON file of the exact run. So as long as you know the ID of a users ride, you can get all the info about it. It also completely ignores the privacy zones you have configured when exporting a private ride. A public version the same as the last run this has a privacy zone (it’s only hiding a sports club which is the start for these races, it’s not my house!) and you can see from exporting this one that the points within the privacy zone are reset to 0,0 rather than the actual lat/lon. Yet on the fully private activity, those same points were available, private activities actually provide more risk to revealing your location than public ones.

Private rides are just security through obscurity, and the ID’s aren’t even that obscure, don’t give Strava data that you actually want private.

Distances within privacy zones are provided

Another privacy flaw here is that while the lat/lon’s on public rides in your privacy zone are hidden, the distances you travel for each of those points in the private zone are not, so it’s a pretty easy algorithm to get back to very close to the start of your ride/run unless you do some laps inside your zone or something similar to obfuscate it. Altitude is also provided for the points within the zone, so that may reveal more for those of you who don’t live in flat lands.

Strava Lack of time?

Strava have repeatedly said their reason for not supporting old API’s or for providing access to the new API is lack of time. I guess I can now believe this, as they don’t even appear to have the time to invest in even basic honouring of their privacy assurances. I did try emailing them before publishing this, and then tried twitter but still no response.