A fitness app that posts a map of its users’ activity has unwittingly revealed the locations and habits of military bases and personnel, including those of American forces in Iraq and Syria, security analysts say.
The app, Strava, which calls itself “the social network for athletes,” allows users to time and map their workouts and to post them online for friends to see, and it can track their movements at other times. The app is especially popular with young people who are serious about fitness, which describes many service members.
Since November, the company has published a global “heat map” showing the movements of people who have made their posts public. In the last few days, security analysts have started to take note of that data, and some have argued that the map represents a security breach.
Strava “is sitting on a ton of data that most intelligence entities would literally kill to acquire,” Dr. Jeffrey Lewis of the Middlebury Institute of International Studies at Monterey, Calif., warned on Twitter.
Some analysts have taken to social media to warn that individual users can easily be tracked, particularly when their Strava data is cross-referenced with other social media use, potentially putting individual members of the military at risk, even when they are not in war zones.
The outlines of known military bases around the world are clearly visible on the map, especially in countries like Afghanistan, Iraq and Syria, where few locals own exercise tracking devices. In those places, the heat signatures on American bases are set against vast dark spaces. Tobias Schneider, a security analyst, wrote on Twitter that “known Coalition (i.e. US) bases light up the night.”
In Afghanistan, for instance, two of the largest coalition bases in the country — Bagram Airfield, north of Kabul; and Kandahar Airfield, in southern Afghanistan — can easily be picked out. The same is true for smaller bases around the country whose existence has long been public.
But there also appear to be other airstrips and base-like shapes in places where neither the American-led military forces nor the Central Intelligence Agency are known to have personnel stations.
Perhaps more problematic for the military are the thin lines that appear to connect bases. Those lines likely trace the roads or other routes most commonly used by American forces when traveling between locations, and their exposure could leave troops open to attack when they are most vulnerable.
The Pentagon did not directly address whether the heat map had revealed any sensitive location data. But Maj. Audricia Harris, a Pentagon spokeswoman, said that the Defense Department recommends all its personnel limit their public social media profiles and that it was reviewing the situation.
“Recent data releases emphasize the need for situational awareness when members of the military share personal information,” Major Harris said. The Pentagon “takes matters like these very seriously and is reviewing the situation to determine if any additional training or guidance is required,” the major added.
The Central Intelligence Agency declined to comment.
The threat also extends to countries where the app is more popular. Mr. Lewis of the Middlebury Institute wrote in The Daily Beast that the pattern of movements clearly showed the location of Taiwan’s supposedly secret missile command center.
Strava, which is based in San Francisco, released a statement on Sunday noting that the app, which can be used on phones or fitness-tracking devices, has privacy settings that can exclude users from the map and hide their activities from the general public. It urged people to read a blog post from last year about how to use those settings.
The map “excludes activities that have been marked as private and user-defined privacy zones,” the company said. “We are committed to helping people better understand our settings to give them control over what they share.”