Android version of RunKeeper was leaking location data to ad service

RunKeeper iconThe Android version of popular running app, RunKeeper, has been leaking location data to an ad service.

The issue was identified when the Norwegian Consumer Council lodged a complaint against it two weeks ago. This resulted in RunKeeper’s developers tearing the app down to identify if there was a problem.

Before reading on – if you use the Android version of RunKeeper update the app from the Google Play Store or another legitimate source. Do not sideload the app from an uncurated source (which is advice I’d give for any app!)

The issue stemmed from the way the app “woke up” when a push notification was invoked. When that happened, location data was sent to the ad service.

Like other Android apps, when the Runkeeper app is in the background, it can be awakened by the device when certain events occur (like when the device receives a Runkeeper push notification). When such events awakened the app, the bug inadvertently caused the app to send location data to the third-party service.

RunKeeper has released a statement about the issue. Here’s the full text.

Recently, the Norwegian Consumer Council filed a complaint regarding how Runkeeper handles user data. We immediately began investigating the issue and have found a bug in our Android app involving the app’s integration with a third-party advertising service. Like other Android apps, when the Runkeeper app is in the background, it can be awakened by the device when certain events occur (like when the device receives a Runkeeper push notification). When such events awakened the app, the bug inadvertently caused the app to send location data to the third-party service.

Today we are releasing a new version of our app that eliminates this bug and removes the third-party service involved. Although the bug affected only our Android app, we have decided to remove this service from our iOS product too out of an abundance of caution. The iOS release will be made available once approved by Apple.

We will cooperate with the Norwegian Data Protection Authority in addressing the concerns raised by the Norwegian Consumer Council. But today we are taking swift action to address the bug identified in the complaint.

We apologize for letting this bug slip through, and we regret the concern this has caused our users. We take our responsibility for the privacy of user data very seriously, and we are thankful to the Runkeeper user community for your continued trust and support.

-Jason & the Runkeeper team

Leave a Reply