A fitness tracking app popular with members of the military could be a security risk from tracking data released by the company that highlights bases, including clandestine bases in the Middle East.

The app, called Strava, was launched in 2011 and uses GPS data to track user activity such as running or cycling. It allows users to count how much exercise they’ve done and share it with others, a fairly innocuous use and a common one with fitness trackers.

The problem: The company released heat maps based on the data gathered in November, including mapping data that potentially gives away extremely sensitive information about a subset of Strava users: military personnel on active service.

According to an analyst quoted by The Guardian, although the heatmap “looks very pretty,” it’s not amazing for operational security at U.S. military bases that are clearly identifiable and mappable. The analyst goes to say that “if soldiers use the app like normal people do, by turning it on tracking when they go to do exercise, it could be especially dangerous.”

The data exposed by the heatmap is not limited to U.S. military bases. It also includes known Russian, Chinese and U.K. bases, but it would appear that it’s more widely used by U.S. personnel. In more remote areas, such as Afghanistan, Djibouti and Syria, the users of Strava are said to be almost exclusively foreign military personnel.

Strava responded to the report, saying in a statement that “our global heat map represents an aggregated and anonymized view of over a billion activities uploaded to our platform” and that it “excludes activities that have been marked as private and user-defined privacy zones. We are committed to helping people better understand our settings to give them control over what they share.”

Although that may well be true, it appears that U.S. personnel may not have got the message that they can make their data private.

Image: Strava