The popular health apps that collect most user data - including your photos

·Contributor

Updated 29 April 2024 at 2:17 pm·6-min read

Could your fitness app be collecting your data? (Getty)

The scale at which some fitness apps collect significant amounts of data on users has been revealed by new analysis - including those that can share the information with so-called ‘data harvesters’.

The data collected includes individual’s precise locations and financial information to the photographs they’ve taken. In fact, out of the 10 apps analysed, seven collected photos from users and five collected the precise current location of users.

The vast majority of users will most likely know that the apps they have on their phone legitimately store certain personal information, such as email addresses and their names. However, the lengthy Ts & Cs that come with each download means they may not be aware of quite how much information they give away.

What data are apps collecting?

Researchers at data protection service Incogni analysed 10 apps on the Google Play Store on 27 March - Strava, Fitbit, AllTrails, Calm, Flo, Runna, MyFitnessPal, Headspace, Calorie Counter, ShutEye.

They noted the wide range of user information the apps collected and shared (such as Precise location, Name, Email, Health info, Fitness info, Photos, App interactions, Other user-generated content, Other actions, Crash logs, Diagnostics, Other app performance data, Device or other IDs).

The results showed that fitness apps Fitbit and Strava collected the most amount of personal information and all but three of the apps (Fitbit, Fl, Calorie Counter) shared data with third parties.

Running coach app Runna collected 13 data points and shared all of them with third parties - including users’ precise location, name and email addresses, photos, and health and fitness information. The hiking app AllTrails collected and shared eight data points about the people who use it.

Seven out of 10 apps analysed collected users’ photos (FitBit, Strava, AllTrails, Flo, Calorie Counter, Runna, MyFitnessPal), and five collected their precise current location (Fitbit, Strava, AllTrails, Runna, MyFitnessPal). This means app developers could ‘see’ where people regularly travel to or even their home.

Fitbit was found to have collected the most amount of data points about their users, collecting 21 different types of information. Strava collected 19 different types.

Should we be concerned?

Data collection is something users should be aware of. Brokers can collect information from apps, social networking sites, and blend this with other publicly available information - this data can even be used in background checks by employers or checks by insurers.

Darius Belejevas, head of data protection service Incogni, comments: “Apps that record and track exercise data can be a great motivational tool that millions of Brits use to get more out of their workouts, eat better, keep running or just keep active. But without realising it, many of us are giving away personal data that doesn’t just show how many calories we’ve eaten or steps we’ve walked, but also reveals the precise location where and when we took those steps.

Female sportswoman in red sports wear monitoring and looking at wrist smartwatch screen. Low angle view — Fitness apps collect lots of data on users (Getty)

“Sensitive, personal health and fitness information is highly valuable to data brokers because there are hundreds of interested parties — both legal and illegal — willing to pay for such information, including insurance companies and marketers. It is especially worrying that some apps collect ‘other info’ and ‘other user-generated content’ without specifying what these vague terms involve."

Gaël Duval, co-founder and developer of privacy focused operating system /e/OS, said: “Many of these apps are marketed as 'free', yet people don't realise their data is now currency. Free and paid apps will request certain permissions during installation that allows them to collect and sell your data to data brokers. This is often disguised as being part of the functionality of the app, yet in reality the data is then passed or sold to data brokers, who sell it on for advertising purposes and more.

“Data brokers collect/analyse user data from various sources to create a detailed profile on a person and sell it on for profit. The data collected about you in apps can range from things like age and location, to medical information and sexual interests. It's then used to create an accurate picture of your habits, allowing advertisers and big tech to deliver increasingly relevant content and product suggestions - encouraging you to spend more time and money online, to the detriment of your mental health and finances.”

Yahoo News has reached out to the apps for comment.

Dom Maskell, co-founder of Runna, said, "At Runna, we take data privacy extremely seriously. We collect only what we need to build an amazing app (we don't even ask for your surname for this reason) and process data accordingly.

"We use industry standard 3rd party data tools such as Mixpanel for Product Analytics, Intercom for Customer Support and Statsig for Feature Rollout. For these to work (e.g., for us to reach you in Intercom, we need your email) we need to share limited amounts of data with those platforms. This is only done as absolutely necessary. For all sensitive data we process, such as users' completed activities, these are kept securely in AWS using industry standard encryption during both transit and rest and access to this data is restricted. Runna does not sell or share user data."

Which apps collect what?

What data the various apps collect and share. Please click on the image to enlarge it.

Fitbit

21 data points collected

0 shared with third parties

Strava: Run, Bike, Hike

19 data points collected

3 shared with third parties (Crash logs, Diagnostics, Device or other IDs)

AllTrails: Hike, Bike & Run

18 data points collected

8 shared with third parties (Precise location, Approximate location, Name, Email, User IDs, Purchase history, App interactions, Device or other IDs)

Calm - Sleep, Meditate, Relax

16 data points collected

6 shared with third parties (Email, User IDs, User payment info, Purchase history, App interactions, Device or other IDs)

Flo Period & Pregnancy Tracker

15 data points collected

0 shared with third parties

Runna: Running Plans & Coach

13 data points collected

13 shared with third parties (Precise location, Name, Email, Health info, Fitness info, Photos, App interactions, Other user-generated content, Other actions, Crash logs, Diagnostics, Other app performance data, Device or other IDs)

MyFitnessPal: Calorie Counter

12 data points collected

3 shared with third parties (Precise location, User IDs, Devices or other IDs)

Headspace: Meditation & Sleep

9 data points collected

7 shared with third parties (Name, Email, User IDs, App interactions, Crash logs, Diagnostics, Device or other IDs)

Calorie Counter

13 data points collected

0 shared with third parties

ShutEye: Sleep & Relax

1 data point collected

2 shared with third parties (User IDs, Device or other IDs)

Euronews
Bluetooth devices can unwittingly track your every move. Here's how to know if they're watching you
Apple and Google are working together to alert users if there's a Bluetooth device tracking them. Here's how to detect if they are and what to do about it.
Wales Online
Security expert says 'never answer phone' amid rise in 'beeping calls'
If you get a call that is silent or just contains beeps, there may be a sinister reason
The Independent
The unusual way Oleksandr Usyk found Tyson Fury body doubles for sparring
Usyk will box Fury in Saudi Arabia on Saturday, to crown a new undisputed heavyweight champion
TechCrunch
Google adds 'Web' search filter for showing old-school text links as AI rolls out
As Google revamps itself for the AI era, offering AI overviews within its search results, the company is introducing a new way to filter for just text-based links. According to Google, the new "Web" filter will appear either at the top of the results page or as part of the "More" option, depending on your query. The launch is an admission that sometimes people will want to just surface text-based links to web pages -- the classic blue links that today are often of secondary importance as Google either answers the question in its informational Knowledge Panels or, now, through AI experiments.
Car and Driver
Rivian R1T and R1S Will Soon Let You Watch YouTube, Cast Videos
Rivian says the new YouTube app and Google Cast are coming via a free over-the-air update for its electric truck and SUV.
The Independent
New iPhone feature stops passengers getting car sick when using their phone
Other newly-announced accessibility features include eye tracking and music haptics
Yahoo Finance
Google is reinventing itself for the AI age
Google took back the AI crown during its I/O developer conference, but its reign could be short-lived.
PA Media: Tech
Google tackles phone theft with new safety features coming to Android
The tech giant will use AI to detect when a user’s phone has been snatched from their hands.
The Guardian
iPad Pro M4 review: ludicrously good hardware that’s total overkill for most
Apple sets new standard in screen and power but Pro model verges away from consumer tablet needs
CoinDesk
Bitcoin DeFi Tool Alex Lab Loses $4.3M in Hack, Offers 10% Bounty for Stolen Funds
The ALEX team proposed a 10% bounty on the total stolen funds in exchange for the return of 90% of assets.
Bloomberg
AT&T Strikes Space Broadband Deal in Challenge to Musk’s SpaceX
(Bloomberg) -- AT&T Inc. and satellite provider AST SpaceMobile Inc. are teaming up to provide wireless service from space — a challenge to Elon Musk’s SpaceX, which struck a similar deal two years ago with T-Mobile US Inc. AST SpaceMobile jumped in extended trading on the news. Most Read from BloombergSlovak Premier Fighting for Life After Assassination AttemptS&P 500 Tops 5,300 in Record-Breaking Stock Rally: Markets WrapUS Inflation Ebbs for First Time in Six Months in Relief for FedChina Con
Birmingham Live
Millions of Google Chrome users warned to relaunch browser 'immediately'
If you use Chrome on your desktop PC or laptop to browse the web and check your emails, then you’d be wise to ensure you’re running the latest and safest version free from vulnerabilities.
PC Gamer
OpenAI unveils GPT-4o with a video of a man making small talk with his phone and I cannot pretend it's not really weird
OpenAI unveils GPT-4o with new audio, video and text recognition abilities—rolling out to free users.
Barrons.com
Google’s I/O Event Promises Lots More AI. The Stock Gets a Small Bump.
Google’s developer conference is expected to feature dozens of sessions on the company’s own artificial intelligence technologies.
PA Media: Tech
China poses ‘genuine and increasing’ cyber risk to UK, GCHQ chief warns
Anne Keast-Butler said China has an ‘advanced set of cyber capabilities’, and also has commercial hacking outfits and data brokers at its disposal.
The Independent
OpenAI unveils ‘magic new AI that can see, hear and speak
ChatGPT creator’s latest flagship product can respond as quickly as a human
The Telegraph
Chinese and Russian spies will target MP candidates at election, warns GCHQ
Chinese and Russian spies will try to target would-be MPs ahead of the general election, GCHQ bosses fear.
Birmingham Live
King Charles and Prince William 'furious with Harry and Meghan over Nigeria tour'
Prince Harry and Meghan Markle were in Nigeria as they marked the anniversary of the Invictus Games
The Independent
Royal news – live: King Charles unveils official portrait as Harry and Meghan issue defiant statement
Duke of Sussex missed his father during his brief visit to London
Yorkshire Live
Man who played People's Postcode Lottery for eight years left fuming at 'win'
Chris Cork, from Manchester, was left fuming when he opened a People's Postcode Lottery package he thought was a big win - and found two bars of soap inside

What data are apps collecting?

Should we be concerned?

Which apps collect what?

Latest stories