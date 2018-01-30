The locations of military bases and soldiers around the world have been inadvertently published by a fitness app.

A heatmap of GPS data recorded by Strava, a mobile app which allows users to track their jogging routes, shows activity in and around military bases, suggesting users are soldiers on active duty.

And people who create a free account can find other users who regularly use certain routes, potentially alerting terrorists or foreign powers to soldiers on active duty.

Potentially sensitive locations in the UK include the Sandhurst military academy, GCHQ and HMNB Clyde, where the navy stores its nuclear weapons.

READ MORE: Plans for 1000 new construction jobs in £500m Faslane project

A Strava spokesman said the heatmap "excludes activities that have been marked as private and user-defined privacy zones".

"We are committed to helping people better understand our settings to give them control over what they share," they added.

Anyone can create an account for free and find routes, or "segments" around military bases.

The app also shows which users have publicly recorded their times on certain routes and many people on Twitter have pointed out that anyone could use such information to find other social media profiles for soldiers.

Nathan Ruser, a student from Canberra in Australia, identified what he believed was a regular jogging route for soldiers in Afghanistan.

"Hopefully it's a learning experience for the different military communities and they can toe that line between convenience and security," he told the Sydney Morning Herald.

READ MORE: Plans for 1000 new construction jobs in £500m Faslane project

Others identified a US base in Nigeria and app users at Bagram air base in Iraq.

Writing for the website The Daily Beast, international security expert Jeffrey Lewis showed how anyone could identify users at a military base in Taiwan and potentially find other bases as a result.

"If our user casually jogging by Taiwanese missiles day after day suddenly appears deployed to a new location, well that's very interesting if you are targeting missiles for China's Rocket Force," he wrote.

Users are able to make their data private, but Mr Lewis also raised concerns about whether data which has been set to private could be hacked.

Strava published a major update to the heatmap in November 2017, including "six times more data than before", but investigators only spotted the security breach this weekend.

An MOD spokesman said: "The MOD takes the security of its personnel and establishments very seriously and keeps them under constant review.

"However, for obvious reasons we do not comment on our specific security arrangements or procedures."

READ MORE: Plans for 1000 new construction jobs in £500m Faslane project

APP companies are failing to protect people's privacy and security by not considering the unintended consequences of what is published collectively online, a cyber expert has claimed.

The warning came after locations of military bases and soldiers around the world were inadvertently published by a fitness app.

The heatmap of GPS data recorded by Strava, a mobile app which allows users to track their jogging routes, shows activity in and around military bases, suggesting users are soldiers on active duty.

And people who create a free account can find other users who regularly use certain routes, potentially alerting terrorists or foreign powers to soldiers at military bases.

Potentially sensitive locations in the UK include the Sandhurst military academy, GCHQ and HM Naval Base Clyde, where the navy stores its nuclear weapons.

The Faslane base has been the focus of security breach concerns before and in 2015 a Royal Navy submariner claimed safety procedures around the Trident nuclear programme at the base mean it could be "infiltrated by a terrorist".

Dr Mike Just, Associate Professor and deputy head of computer science at Heriot Watt University, who is also a cyber security expert with the Scottish Informatics and Computer Science Alliance, said planning how apps work should include examining such unintentional uses.

He said: "Companies need to do better at protecting the data that they collect from us.

"It's not enough to give individuals choice about how they can protect their data.

"From this apparent data exposure example, we can see the potential risks from sharing data without consideration of the patterns that can be deduced."

READ MORE: Plans for 1000 new construction jobs in £500m Faslane project

Professor Chris Johnson, head of computing at Glasgow University and also a SICSA cyber security expert, said the Strava incident "is concerning because it’s part of a wider problem in maintaining security when so many devices and apps disclose potentially sensitive information".

Using the Strava app, anyone can create an account for free and find routes, or "segments" around military bases.

Faslane shows some activity on the heatmap.

The app also shows which users have publicly recorded their times on certain routes and many people on Twitter have pointed out that anyone could use such information to find other social media profiles for soldiers.

So-called "patterns of life" started to emerged for users and Nathan Ruser, a student from Canberra in Australia, identified what he believed was a regular jogging route for soldiers in Afghanistan.

International security expert Jeffrey Lewis said anyone could identify users at a military base in Taiwan, for example, and potentially find other bases as a result.

He said: "If our user casually jogging by Taiwanese missiles day after day suddenly appears deployed to a new location, well that's very interesting if you are targeting missiles for China's Rocket Force."

Users are able to make their data private, but Mr Lewis also raised concerns about whether data which has been set to private could be hacked.

Others identified a US base in Nigeria and app users at Bagram air base in Iraq.

Strava published a major update to the heatmap in November 2017, including "six times more data than before", but investigators only spotted the security breach this weekend.

A Strava spokesman said the heatmap "excludes activities that have been marked as private and user-defined privacy zones".

He added: "We are committed to helping people better understand our settings to give them control over what they share."

READ MORE: Plans for 1000 new construction jobs in £500m Faslane project

An MOD spokesman said: "The MOD takes the security of its personnel and establishments very seriously and keeps them under constant review.

"However, for obvious reasons we do not comment on our specific security arrangements or procedures."