Another Fitness App Exposes Users' Data

Application Security , Mobility , Next-Generation Technologies & Secure Development

Independent Researcher Finds PumpUp Data Was Accessible on Unsecured Amazon Server(HealthInfoSec) • June 4, 2018    Another Fitness App Exposes Users' Data

For at least the third time in recent months, a mobile fitness app maker apparently has exposed consumers' sensitive personal information.

See Also: How to Keep Your Endpoints Safe from Cybercrime

In the latest incident, independent researcher Oliver Hough discovered that Ontario, Canada-based fitness company PumpUp was exposing sensitive consumer health data and private messages between users via an unsecured backend server hosted on Amazon's cloud infrastructure.

The researcher reportedly contacted news site ZDNet to investigate the situation, according to a May 31 story posted on the media company's website.

Hough confirmed to Information Security Media Group that on May 23, he discovered that PumpUp consumer data, including user email addresses, location and workout records, as well as self-reported health information - such as height and weight - and some unencrypted credit card information, including card numbers, was accessible on the unsecured Amazon server.

"The MQTT server did not have any authentication enabled; anyone with the knowledge to connect to an MQTT could connect and view all messages in transit," Hough says.

ZDNet reports that it tried for over a week to inform PumpUp of the breach, but the vendor did not respond. PumpUp also did not immediately respond to an ISMG request for comment on the breach.

Hough tells ISMG that the PumpUp server that had been leaking consumer data for an unknown length of time appears to have since been pulled offline.

"They quietly closed off access; the MQTT server no longer responds at all," Hough says. "I can't say much more as PumpUp won't speak to me or anyone else."

PumpUp reportedly has about 6 million members using its apps, according to ZDNet. Hough says he's not certain how much data was exposed on the unsecured server.

Other Recent App Breaches

The incident involving PumpUp comes on the heels of a security incident revealed in March involving Under Armour's MyFitnessPal app. A class action lawsuit was recently filed against Under Armour in the aftermath of that incident, in which an intruder gained access to 150 million user accounts (see Lawsuit Filed in Wake of Under Armour Data Breach).

And in a third recent incident, mobile application and website developer Strava, which bills itself as "the social network for athletes," in January landed in hot water after publishing a global heat map that showed where and how often users travel on specific routes while recording their workouts via the company's app, which runs on smartphones and wearables.

That situation not only raised privacy concerns, but also possible safety issues for U.S. and NATO military personnel who frequently use the app while stationed overseas.

All three of these incidents involving mobile apps potentially put users at risk for fraud and other crimes.

Cybercriminals "are constantly thinking of ways they can get into various devices to gain information and to monetize it to the damage of both the business and the consumer," says attorney John Yanchunis of the law firm Morgan & Morgan's consumer litigation group.

"Anything that can be accessed by the internet that contains information of some value is capable of being penetrated. Any company that manufactures and sells that device for storage of information is vulnerable, and those companies need to engage in best practices to protect that information."

Beefing Up Security

So what are the makers of these apps doing wrong when it comes to security?

The PumpUp breach appears to have resulted from misconfigured security controls, notes Keith Fricke, principle consultant at tw-Security.

"App makers need to ensure their quality assurance processes not only check for secure coding practice, but configuration management/change management practices need to keep a close eye on maintaining security controls, even the basic ones such as passwords in this case," Fricke says.

Hough says security failures for fitness apps "are almost always because companies don't do enough to proactively monitor what services they have online, where they are routed to - internal vs. internet - and what is open; many services run on multiple ports."

App developers, he says, often lack "a solid process for building new infrastructure" and make the mistake of "passing it off to developers - DevOps - with little security knowledge."

In the PumpUp incident, Hough adds, "they had unencrypted credit card details; it's info security 101 to always encrypt financial details at rest and in transit."

Out of Scope

Most mobile fitness/health apps are regulated by the Federal Trade Commission, and not the U.S. Department of Health and Human Services. That's because unless the apps qualify as "sofware as a medical device" that's intended to treat, diagnose, cure, mitigate or prevent disease or other conditions, the apps generally do not fall under the purview of HHS's Food and Drug Administration.

Also, if consumers use the apps to input and monitor health information without involvement of a healthcare provider, the apps generally do not fall under the scope of HIPAA regulations.

"Today's health information marketplace is filled with technology that allows individuals to share their health information through fitness wearables ... and the developers and vendors of these technologies largely fall outside of HIPAA."
—David Holtzman, CynergisTek

"Congress limited the scope of HIPAA to apply to activities that we think of as traditional healthcare and how they used health information," says privacy attorney David Holtzman, vice president of compliance at security consultancy CynergisTek. "But today's health information marketplace is filled with technology that allows individuals to share their health information through fitness wearables, healthcare trackers or smartphones that did not exist when Congress enacted HIPAA. And the developers and vendors of these technologies largely fall outside of HIPAA"

Still, mobile health app developers must strive to implement sound data security practices, he stresses.

"The FTC has developed a guide of its best practice recommendations on securing health apps and baking in privacy by design."

Advice for Consumers

The recent incidents offer several critical lessons to consumers who use mobile health apps, as well as the companies who develop or provide the apps to consumers, Hough says.

"Consumers really need to understand that when you are using apps such as this, you are implicitly trusting the company to look after your information carefully, and in my line of work I see this is just often not the case," Hough says.

In too many cases, data is not deleted when a consumer leaves a service, Hough contends. "Many consumers think that 'delete my account' means also 'destroy all my data', but often your login is disabled and your profile taken out of view, but your data is still going to sit there and is still vulnerable if breached."

Fricke says consumers should always carefully read vendors' end use license agreements "and try to understand what expectations the vendor providing the mobile health app sets regarding privacy."

Health apps and wearable devices "don't have a good track record when it comes to disclosing what they do with user information as well as documented cybersecurity flaws," Holtzman says. Some recent studies show that that as many as 70 percent of health apps lack a privacy policy, he notes.