Yoga ball, water bottle, woman doing yoga, smartphone with fitness app on, settings cog with eye, spying icon

Whether we like it or not, even the most particular details of daily life have developed digital components. From Wi-Fi-connected refrigerators and lighting to AI-assisted whole-home control, as technologies continue to advance, so does our connectivity. Personal physical fitness is no exception, as evidenced by the multitude of available calorie trackers, route recorders, and workout planners. There are thousands of fitness apps in contention to accompany you on your fitness journey, and many are pretty effective. However, they tend to demand a lot of personal information. A privacy-conscious person will want to examine how much access they give to a new application. In this article, you’ll find an overview of the basic permissions that fitness apps request, and an explanation as to why they should or should not concern you.

Privacy settings icon

Common Fitness App Permissions and Their Uses

Almost every smartphone app in existence requires certain permissions to perform its basic functions. This is especially true for fitness apps that need to collect and process sensitive information. For example, they collect your immediate location, connection status, and performance metrics. Here is a list of the most commonly requested permissions and their functions.

Network

Like many of these categories, the Network permission is actually several permissions in one bundle. Applications with this access can perform actions like changing your connection type (Wi-Fi, 4G, LTE etc.) and preventing your phone from sleeping. This seems like a lot of power to give a single program, but the reality is that many fitness apps simply use it to synchronize their data. Like most apps, fitness apps don’t generally store data on your phone, but on a centralized server.

Apps require network permission in order to transfer data via the currently active connection. With well-known, reputable applications like Strava, Garmin, MapMyRun, and MyFitnessPal, this permission shouldn’t be a big security concern, but that doesn’t mean it’s completely benign. Some applications may seek to transfer data over an “inactive” connection which can affect both data and battery usage.

In-App Purchases

Applications need this permission to charge your account for upgrades and premium features, like turning off ads or enhancing app interaction. Without this permission, Google Play will reject any monetary transaction attempt. This permission is standard and shouldn’t cause alarm, but be sure you always know who is using your phone. There are many stories of parents left responsible for purchases made by their child when they weren’t looking.

Related: The Identity permission assists the In-App Purchase permission. It allows applications to read and verify account information during any transactions.

Contacts

Phone device icon

The Contacts permission is sometimes controversial as it allows an app access to your phone’s address book. Apps use this permission to connect you with friends on the same platform, and to invite non-users to the service via their email address, directly from the user interface. Applications say they don’t use the permission if the user doesn’t intentionally access a feature that requires it. However, it’s important to know that, with the permission turned on, the application can read this information at any time and without notification.

This permission can often be blocked without affecting an app’s functionality. Android users can do this by opening Device Settings > Apps > *Name of Application* > Permissions and turning the Contacts toggle off.

Storage/Media

Media permissions allow an application to access the contents of your device’s internal storage and SD card. Apps use it for actions like uploading photos and saving and exporting statistics. While you’ll most likely be fine allowing this access to reputable apps, it’s worth noting that it’s possible to turn this permission on and off via your phone’s settings.

Location

Map with a Location Pin

The Location permission gives apps access to both your approximate and your precise location. By analyzing connection services around you, like Wi-Fi devices and cell towers, an app can determine your general location and use it to serve you targeted geo-based advertisements. Your precise location is derived from your phone’s GPS and allows services to pinpoint your location to within a few meters. In addition to using it to serve location-related ads, workout tracking apps like Strava and MapMyRun need GPS information in order to follow your run or bike ride. It allows the app to display route and speed-related metrics in real-time and in post-activity reports.

GPS tracking is essential to the core functions of many fitness apps. However, it’s no surprise that many people aren’t comfortable with an application knowing their exact location all the time. Furthermore, tracking apps often publish your activities to a public feed. Displaying where you begin or end your workouts, can show strangers exactly where you live if you aren’t careful. A study published in June 2023 revealed that Strava’s heatmap feature can expose users’ home addresses.

Bluetooth

Bluetooth icon

Bluetooth permissions are necessary for connecting to external hardware like smartwatches, heart-rate monitors, and third-party GPS devices like Garmin. However, not all fitness apps need this permission to function.

Manage the Privacy and Security Settings of Various Fitness Apps

While most fitness apps require several permission bundles to perform their basic functions, many let you fine-tune non-essential privacy and security settings. Adjusting these is usually a straightforward process, and you can control certain location, privacy, and contact-related options directly from the app’s menu. Here is a quick overview of the privacy settings of some of the most popular fitness apps.

Controlling Privacy Settings in Strava

strava logo

In Strava’s settings menu, under “Privacy Settings”, you can see that your activities and data are very public by default. If you don’t choose to opt-out, Strava will publish your activities to a public feed and segment leaderboards. The app’s “Flyby” feature also allows other users to see if they passed you during an activity, or vice-versa. Furthermore, Strava uses your activity data to create public “Heatmaps” that show the most traveled roads in your area. You can disable individual options in Settings, or, for users that wish to keep their activities completely private, Strava offers a one-touch Enhanced Privacy Mode that activates the most restrictive privacy settings.

Strava also enables the Contacts permission by default. This allows it to access your address book without asking you first. However, you can disable this access from the settings menu.

Controlling Privacy Settings in MapMyRun

By default, MapMyRun shares your data with only your friends. This includes your profile, your routes, and your workouts. You can change these settings to “Public” or “Just Me” by opening the menu and tapping Settings > Privacy. MapMyRun also features a “Privacy Center”, with information about the consents that the application requires, how to export your data, and how to delete your entire account.

Controlling Privacy Settings in Runkeeper

runkeeper logo

When you first log into Runkeeper, during the account creation process, the app automatically selects a box that gives permission to send you emails. You have the option to opt-out, but you need to take the action. It also asks you to put in your date of birth (mandatory), your current weight (optional), and your gender (optional).

By default, Runkeeper publishes your activities to a feed that is viewable by everyone. Your maps are viewable by your friends by default. In the settings menu, you can change these to be viewable by only you, your friends, or everyone.

Controlling Privacy Settings in Endomondo

Endomondo, like Runkeeper, will want to send you emails. However, it doesn’t secretly check a box for you. Instead, Endomondo makes it easy to opt-out by asking you directly. To alter privacy settings, tap More > Settings > Privacy Center > Privacy. Here, Endomondo provides an easy one-touch privacy option, as well as advanced settings that allow you to control who sees your personal information. Data such as your birthday, height, weight, and heart rate are private by default. Your workouts, average speed, maps, and personal training plans are visible to your friends by default. In the Privacy Center, you can also view the permissions you have consented to, download a copy of your personal data, and delete your account.

Controlling Privacy Settings in MyFitnessPal

MyFitnessPal is very liberal with what it shares to your news feed. If you don’t take action, the app will share pretty much everything you do in the app. Your personal nutrition diary, however, is automatically set to private. You can choose to share it publicly or with friends, or you can lock it with a password. View these settings by going to Settings > Privacy Center > Sharing & Privacy Settings.

Controlling Privacy Settings in Garmin Connect and Polar Flow

garmin logo

Using a smart fitness device, like a Garmin GPS or Polar watch, gives you access to advanced metrics not available through your phone. These devices collect a lot of data and have several obligatory permissions to function, but it’s easy to control your publicity. By default, Garmin sets your profile and activities to private. You can choose to make them visible to just your connections or to everyone, but you have to take the action. Your gender, height, weight, age, and VO2 Max can be shown on your profile, but the app hides these by default.

Likewise, Polar Flow sets your profile and activities to private by default; giving you the option to share publicly, or with only your followers, if you choose.

Digital Privacy and Security is a Personal Responsibility

Even the most well-renowned companies are not invincible. While the security of your information is a top priority for these businesses, they must consistently protect themselves from outside attacks. It’s not common, but sometimes these defenses fail and your information can be jeopardized.

Under Armour’s MyFitnessPal: A Cautionary Reminder

In March 2018, Under Armour announced that “an unauthorized party acquired data associated with MyFitnessPal user accounts in late February 2018.” Of course, the Under Armour public relations team downplayed the incident. They made sure to note that no “government-issued identifiers” were stolen, despite the fact that the company doesn’t even collect such information in the first place. No payment information was stolen either; but usernames, passwords, and email addresses were compromised in the breach.

It may not seem disastrous to have to change the password for a fitness application, but it’s important to consider that many people use the same username/password combination for all their accounts. This means that these accounts, by extension, were also compromised. An incident like this is a sobering reminder that companies can only do so much to keep your information safe. You must also take steps to protect yourself. Make sure to review an application’s privacy and permission options before using it. Change your password as soon as you learn of a possible breach, and don’t use the same password for all your accounts. In the end, staying secure is a personal responsibility.

Final Thoughts

Fitness apps gather a lot of personal information. In most of the apps you can adjust who gets to see this information. However, even if you make sure only you can see the information the app company can likely see it as well.

While using a fitness app can be a perfect way to get in shape, remember that you are giving away personal information in the process. To remain completely anonymous it would be better to track your exercises the old-fashioned way. You may also want to learn about the privacy risks of using period tracking apps.

Leave a comment