Your personal data sold off with Asics Runkeeper

Want to run solo? The Asics fitness app leaks your personal data to many third parties, and does not offer a dedicated privacy policy

Published by Pixel de Tracking on May 31, 2020

Runkeeper multiplies trackers and leaks your email in the URL of a third-party tool

After detailing how Runstatic leaks your personal data without a valid legal basis, I decided to see whether its competitor Runkeeper does any better. Just like Runstatic, bought by Adidas in 2015, Runkeeper attracted interest and was acquired by Asics in 2016. Nike, the leading sports equipment manufacturer, has not been left out: it also offers its own app, Nike Training Club.

Your physical activities, and more generally your health data, are indeed strategic. Sports equipment manufacturers reacted quickly, and they have now been joined by digital giants:

  • Google has offered its Google Fit app for several years. It also bought Fitbit last year.
  • Apple offers the Apple Watch, the world's best-selling smartwatch, and the Apple Health app. Note that Apple is more respectful of your personal data because its objective is different (selling high-end devices, not capturing your personal data), so data from the Health app is end-to-end encrypted, which means Apple cannot read it.

Runkeeper has previously had problems with the way it handled users' personal data. In 2016, the application was accused by the Norwegian consumer protection authority of transmitting personal data (including geolocation) to a third party (Kiip.me), even when the application was inactive. Have its practices changed? To investigate possible leaks of personal data from Runkeeper to third-party companies, I followed this procedure on my iPhone:

  • Close the various background applications.
  • Launch Charles Proxy and enable tracking.
  • Launch Runkeeper, then browse the app, including starting an activity.
  • Export the logs from my Charles Proxy session to my computer.

Runkeeper iOS

Runkeeper is very talkative. Here are the companies tracking you:

  • Google : the Mountain View giant is everywhere. Runkeeper uses Firebase, Google's toolbox for apps, to measure crashes via Crashlytics, and to personalize the application and run A/B tests via Remote Config. Runkeeper also uses Google Ad Manager (the publisher ad server) to serve advertising.
  • Facebook : the Palo Alto giant is also everywhere. Runkeeper uses the Facebook toolbox for apps. It is sometimes difficult to know why an application uses Facebook, because its toolbox includes many features such as analytics and advertising retargeting.
  • Iterable : a mobile marketing company that lets Runkeeper segment you and then retarget you more effectively via notifications, in-app messages, SMS or personalized emails. Bad surprise: Runkeeper leaks your email address in plain text to Iterable in the URL. Here is the offending URL: https://api.iterable.com/api/inApp/getMessages?count=100&email=XXX&SDKVersion=6.2.2&packageName=RunKeeperPro&platform=iOS.
  • Appsflyer : a mobile marketing company offering, among other things, an attribution product that lets Runkeeper know which advertising campaigns triggered installation of the app.
  • Amplitude : an analytics tool that lets Runkeeper analyze your behavior in detail on its application. Here too, everything is tracked: each screen viewed, your smartphone model, your mobile operator, your smartphone identifier, but also the type of activity performed, your shoe brand, the number of steps, distance traveled, activity duration and your number of friends on the application.

If we look in detail at the information sent to Google Ad Manager, the Google tool that lets Runkeeper serve advertising, we can see that Runkeeper leaks a lot of information via the '_custparams' field of the https://pubads.g.doubleclick.net/gampad/ads request (we had already seen this data leak at Spotify). Google collects, among other things:

  • Your gender.
  • Your age group.
  • Information about your longest run (a range of kilometers and duration).
  • Information on the average of your runs (a range of kilometers).
  • Information on the number of your runs (also a range).
  • Whether you have ever ridden a bike or not.
  • Whether you have climbed before or not.
  • Whether you have ever walked or not.

This information is deliberately sent by Runkeeper to Google Ad Manager in order to target you more effectively: Runkeeper can therefore serve an ad for mountaineering equipment to users who have already climbed.

Runkeeper does not have a dedicated privacy policy!

How does Runkeeper communicate about its use of your personal data? Surprise: Asics does not even offer a privacy policy dedicated to the Runkeeper application. You are redirected to the Asics privacy policy, whose brands include Asics and Runkeeper, but also Onitsuka Tiger and Haglöfs.

Under these conditions, it is difficult to analyze the policy. As already observed with Runstatic, the personal data collected by Asics is extensive, but the policy mixes the four Asics brands together. If we nevertheless look at the section "How do we share your data?", Asics states:

Partners. ASICS sometimes offers you a service or application in partnership with its partners. We may also disclose your personal data to these partners, but only when you have given your consent or asked us to do so.

This is false because Runkeeper offers no mechanism for collecting user consent. It goes even further: as we saw above, Runkeeper sends your personal data to Google, Facebook, Iterable (including your email address), Appsflyer and Amplitude. You are not informed of this personal data leak, you have no control, and Runkeeper offers no way to deactivate this tracking.

What can you do to prevent leaks to third-party tools? As with Runstatic and many apps, while awaiting a possible sanction from a competent regulatory authority, you can use apps such as DNSCloak, Adguard or NextDNS on iOS.