Great Discovery!

It is no surprise that Strava is probably the most popular Social Fitness App in the Play Store since it works with almost all companion Apps.

Strava was exploited in the past, for example, the famous breach that made it possible to expose Israeli military bases article. Since then Strava is much more fortified and the application stores almost no type of data locally. The application, the moment it has access to the internet, purges the data automatically from the local SQLite Databases.

However, exploring the data, we discovered that the application stores FIT files related to the activities in the Public directory! A FIT or Flexible and Interoperable Data Transfer is a file format for GPS tracks and routes. It usually is used by Garmin Devices (we did not connect strava to garmin connect, and we started the activity directly from the strava application). Using the library fitdecode, we could decode the FIT files and extract the GPS coordinates and some additional information related to the activity.

Our module will extract the FIT files, decode them, create the respective Map in HTML and KML, and show it in the report. What makes this module special is that this data comes from the public directory instead of the private one like previous modules we did from fitness applications. This means that the analysis can obtain the user's location during that specific timeframe in a criminal or forensic investigation without needing special privileges or root to access the data.

Since the data is decoded from the FIT file and converted, it is not 100% accurate, but from our tests, it is almost 99% accurate (the map shows a bug that renders a black circle near the start and endpoint, however, it is still completely readable)