Your personal data sold with Asics Runkeeper

Runkeeper multiplies trackers and leaks your email in the URL of a third-party tool

After detailing how Runstatic leaks your personal data without valid legal basis, I decide to see if its competitor Runkeeper does better. Just like Runstatic bought by Adidas in 2015, Runkeeper aroused desire and was acquired by Asics in 2016. The leading sports equipment manufacturer Nike is not left out, it also offers its application, Nike Training Club.

Your physical activities and more generally your health data are indeed strategic. If sports equipment manufacturers reacted quickly, they are now accompanied by digital giants:

Google has been offering its application for several years Google Fit. He also has bought Fitbit last year.
Apple proposes theApple Watch, the world's best-selling smartwatch, and the app Apple Health. Note that Apple is more respectful of your personal data because its objective is different (sell high-end devices and not capture your personal data), so the data from the Health app is end-to-end encrypted, which means that Apple cannot read them.

Runkeeper has previously had issues with mishandling its users' personal data. In 2016, the application was accused by the Norwegian public body responsible for consumer protection to transmit personal data (including geolocation) to a third party (Kiip.me), even when the application is inactive. Have their practices changed? In order to investigate possible leaks of personal data from Runkeeper to third-party companies, I followed the following procedure on my iPhone:

Closing the various background applications.
Launching the application Charles Proxy and enabling tracking.
Launching the application Runkeeper, then navigation in the App including launching an activity.
Export of logs from my Charles Proxy session to my computer.

Runkeeper iOS

Runkeeper is very talkative, here are the companies tracking you:

Google : the Mountain View giant is everywhere. Runkeeper uses Firebase, Google's toolbox, for Apps to measure crashes, via Crashlytics as well as to personalize your application and do A/B testing via Remote Config. Runkeeper also uses Google Ad Manager (the publisher adserver) to distribute advertising.
Facebook : the giant of Palo Alto is also everywhere. Runkeeper uses the Facebook toolbox for Apps. It is sometimes difficult to know why an application uses Facebook because its toolbox includes many features such as Analytics or advertising retargeting.
Iterable : mobile marketing company allowing Runkeeper to segment you and then better retarget you via notifications, in-App messages, SMS or personalized emails. Bad surprise: Runkeeper leaks your plaintext email address to Iterable in the URL. Here is the offending URL: https://api.iterable.com/api/inApp/getMessages?count=100&email=XXX&SDKVersion=6.2.2&packageName=RunKeeperPro&platform=iOS.
Appsflyer : mobile marketing company offering in particular an attribution product, which allows Runkeeper to know which advertising campaigns triggered the installation of the application.
Amplitude : analytics tool, allows Runkeeper to analyze in detail your behavior on its application. Here too, everything is tracked: each screen viewed, the model of your smartphone, your mobile operator, your smartphone identifier, but also the type of activity carried out, your brand of shoes, the number of steps, the distance traveled, the duration of the activity or your number of friends on the application.

If we look in detail at the information transmitted to Google Ad Manager, the Google tool allowing Runkeeper to distribute advertising, we can see that Runkeeper leaks a lot of information via the '_cust' field.params' of the query https://pubads.g.doubleclick.net/gampad/ads (we had already seen this data leak at Spotify). Google collects (non-exhaustive list):

Your gender.
Your age group.
Information about your longest run (a range of kilometers and duration).
Information on the average of your runs (a range of kilometers).
Information on the number of your races (a range too).
Whether you have ever ridden a bike or not.
Whether you have climbed before or not.
Whether you have ever walked or not.

This information is deliberately sent by Runkeeper to Google Ad Manager in order to better target you: Runkeeper can thus serve an ad for mountaineering equipment to users who have already climbed.

Runkeeper does not have a dedicated privacy policy!

How does Runkeeper communicate about its use of your personal data? Surprise, Asics doesn't bother to offer a privacy policy dedicated to the Runkeeper application! So you will be redirected to the Asics privacy policy, whose brands include Asics and Runkeeper in particular, but also Onitsuka Tiger and Haglöfs.

Under these conditions, it is difficult to analyze this confidentiality policy. Like already observed with Runstatic, the personal data collected by Asics is massive, but it mixes the 4 Asics brands. If we nevertheless look at the section "How do we share your data?", Asics indicates:

Partners. ASICS sometimes offers you a service or application in partnership with its partners. We may also disclose your personal data to these partners, but only when you have given your consent or asked us to do so.

This is a lie because Runkeeper does not offer anything to collect user consent. This goes even further because as we saw previously, Runkeeper transmits your personal data to Google, Facebook, Iterable (including your email), Appsflyer and Amplitude. You are not informed of this personal data leak, you have no control, and Runkeeper does not offer anything to deactivate this tracking.

What can you do to prevent leaks to third-party tools? As with Runstatic and many Apps, while awaiting a possible sanction from a competent regulatory authority, you can use apps such as DNSCloak, Adguard or NextDNS on iOS.