In recent years, the idea of collecting and analyzing data about a subject has transitioned and the subject is now the person. We are not just talking about high level details about the person but instead we are dealing with highly detailed and personal information at a low-level. A new term has been coined for this activity and it is generally known as the concept of the Quantified Self (QS). This trend is a collision of several different forces currently observed, including wearable smart devices, the Internet-of-Things, and social media.
QS is about personal data, but not as we have known it. While analyzing the top QS apps for smartphones we have found all sorts of worrisome behavior. How much data is actually gathered? How is the data stored? How many entities do you have to trust to not sell your data to marketing companies? These are only a few of the questions that users have to ask themselves. We will explain the different attack vectors and attack scenarios against QS devices.
We have found that not all applications are following security best practice guidelines. Some applications submit passwords in clear text over HTTP, leak your location, or let everyone by default see your progress. Other applications distribute your data by contacting 16 different service providers or leave you with a unpleasant feeling as they do not allow you to delete the account or do not even have a privacy policy to begin with. We will provide an overview of the different findings we gathered while analyzing QS applications.
Furthermore, we discovered that most of the quantifying self hardware devices, like sports bracelets, do not implement the full spectrum of privacy functions available. Hence, people using such activity trackers can be tracked by others. We created a proof of concept scanner and performed some tests in different European cities. We will discuss the scan results and show that when the tracking is combined with the leakage of personal identifiable information, this can quickly become a nightmare.