Skip to content
Naked Security Naked Security

Runkeeper says “sorry!” for sending your every move to an ad service

The fitness app's maker said it found a bug in its Android version that was dribbling location data to an ad service in the US.

Runkeeper, a fitness app, has apologized for sending users’ every move to an ad service in the US up to 48 hours after they’re done with their runs.

App maker FitnessKeeper Inc., based in the US state of Massachusetts, began to peel the app apart after the Norwegian Consumer Council lodged a complaint against it two weeks ago.

The investigation turned up a bug in Runkeeper’s Android version that involves how the app integrates with a third-party advertising service. As FitnessKeeper explained, events such as push notifications wake up the app when it’s running in the background.

When such events woke up the app, the bug would “inadvertently” push out a user’s location data to a major US advertiser that Ars Technica identified as Klip.me.

The complaint was filed after Norway’s consumer watchdog earlier this year investigated the terms and conditions of 20 apps.

In those tests, Runkeeper kept pushing out user location up to 48 hours after it had gone idle.

What’s more, the council also found that like many mobile apps, Runkeeper demands the right to a user’s content for perpetuity: you can delete your account, but your data isn’t going anywhere. Its license also stipulates that it can share user content with unspecified third parties.

The watchdog’s investigation has already led to its reporting of dating app Tinder to Norway’s data protection authority over what it called privacy breaches, Ars reports. Another dating app, Happn, has been reported to France’s data regulator.

FitnessKeeper squashed the bug that was leaking user location data and released a new version of Runkeeper on Tuesday. Although the bug only affected the Android version, the company said that it snipped the ad service from its iOS version as well, “out of an abundance of caution.”

The company apologized and pledged to cooperate with the Norwegian watchdog over all of its concerns. From its statement:

We apologize for letting this bug slip through, and we regret the concern this has caused our users. We take our responsibility for the privacy of user data very seriously, and we are thankful to the Runkeeper user community for your continued trust and support.

Alas, Runkeeper is just one of many mobile apps that are blabbing about us. As we reported in February, researchers have found that there are plenty more mobile apps dribbling away far more data than you’d presume after reading privacy policies.

We have a permeable membrane between ad networks and mobile app developers to thank for it. That membrane lets through potentially sensitive personal information on millions of mobile phone users, including how much money we make, whether or not we’ve got kids, and what our political leanings are.

That’s a lot of tasty data to be picked over by voracious ad networks.

And as we all know by now, “free” mobile apps aren’t free at all, just like their “free,” advertising-financed online brethren.

There’s just no free lunch waiting on your mobile phone.

4 Comments

I’ve often laughed about this binary approach of mankind considering the good guys verses the bad (guys) as I believed, and still do, that we happen to be either both or either none. But in fact there is as there has always been an everlasting confrontation between honesty and dishonesty. In this cyber world as in the other one (“true” one is inappropriate I guess) there is vice as there is virtue, and nakedsecurity as well as several others participates to the growing family of those who praise not for morality, not for a faith, but for ethics, period. Period!

thanks for this. it looks the article said “Kiip.me” with two “i”s not “Klip.me” :)

FitnessKeeper got there hands caught in the cookie jar to make more money. This has been going on for some time. Google needs to look at there reviews also on that app, because they have a TON of bot reviews for that app.

Thanks, Lisa! Good write up, and I’m happy someone brought this to light. And thanks to the Norwegians as well.

Have the developers given any reason for this issue other than “oops, we’re sorry?”

Comments are closed.

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?