BREAKING SMART.

HACKING HEALTH, WEARABLE AND SMART

APPS TO PREVENT LEAKING

YURY CHEMERKIN
MULTI-SKILLED SECURITY EXPERT

CJSC ADVANCED MONITORING

 YURY CHEMERKIN
I have 10+ years of experience in information
security. I‘m a multi-skilled security expert on
security & compliance and mainly focused on
privacy and leakage showdown. Key activity
fields are EMM and Mobile &, Cloud
Computing, IAM, Forensics & Compliance.

I published many papers on mobile and cloud

security, regularly appears at conferences such
as CyberCrimeForum, HackerHalted, DefCamp,
NullCon, OWASP, CONFidence, Hacktivity,
Hackfest, DeepSec Intelligence, HackMiami,
NotaCon, BalcCon, Intelligence-Sec, InfoSec
NetSysAdmins, etc.
LINKEDIN:
HTTPS://WWW.LINKEDIN.COM/IN/YURYCHEMERKIN

TWITTER: @YURYCHEMERKIN

EMAIL: YURY.S@CHEMERKIN.COM
SMART ISSUES

FORENSICS SPORT & SECURITY &

CAPABILITIES HEALTH TIPS
SECURITY NOWADAYS. FORENSICS
DIRECTION

APP SERVERS HEALTH CDN 3RD PARTY BACKUP OF

VENDOR CLOUD DEVICE
CLOUD

MOBILE DEVICE 2FA LEAKED

DATABASE
FORENSICS TOOLS. ADVERTISEMENT IS
NOT SCARIEST THING IN THE WORLD 
FORENSICS. UNSTOPPABLE ACCESS
STRAVA

GOOGLE, NETWORK CREDENTIALS, SPORT GEAR MAINLY KEEP

CRASHLYTICS, DATA IS PROFILE AND MEASURES IF IT ON STRAVA
FACEBOOK, PROTECTED MEASURES EXISTS SERVERS
ZENDESK, FROM MITM
IO.BRANCH

GEO DATA IN ZENDESK PHOTOS

BACKUPS USERID & TAKEN BY
TOKEN USERS ON
+ BASIC CLOUDFRONT
PROFILE
STRAVA – DETAILS

• Analytics, 3rd party sdk – Google, Crashlytics, Facebook, Zendesk, io.branch

• Network:
• Traffic is generally protected by certificate (Pinning), however developer API
doesn’t have it as a built-in feature
• Protected credentials, profile and measures related to runs, walking stats sync but
aren’t correctly incorporated to overall stats (not supported over years)
• Gear measures if it exists
• Mainly keep on strava servers
STRAVA – DETAILS

• Geo Route details Documents\*.stravactivity

• wp: lat:55.899412; long:37.575460; hacc:64.000000;
vacc:63.175690; alt:187.060074; speed:4.348559;
course:124.105452; t:1554864639.673529;
dt:1554864639.612675
• Zendesk UserID & Token
• \Library\Preferences\com.zendesk.core.identity.plist
STRAVA – DETAILS

• Photos taken by users

• \Library\Preferences\ com.strava.stravaride.plist
• + basic bio
• Full Name + email
FORENSICS. DEVELOPED IN A MAC
STYLE 
CLOUDY DATA. EXTRACTION
RUNGAP APP.
AN EXCHANGE INTERFACE FOR DATA

DROPBOX SPORT HEALTH DATA BODY ZIPPED FILES

SUPPORTS ACTIVITIES MEASURES

ROUTES MAPS
RUNGAP – DETAILS

• Analytics, 3rd party sdk – Google, Facebook,

• Network
• Dropbox support to exchange & store data – highly
detailed files with a source info
• Some general activities data is available but mainly
transfer as zipped files
• Examples are on next slides
RUNGAP – DETAILS

• Analytics, 3rd party sdk – Google, Facebook,

• No useful backup data
• Activity – Raw data with geo and activity type
• LAP – similar data items like above
• Thumbimage – route with a map background
• Also Mapfingerprint, path, raw data tables
contains raw data
ALTERNATIVE SOURCES ARE NOT
SUPPORTED
ALTERNATIVE SOURCES ARE NOT
SUPPORTED. ~50 APPS W/O 2FA
• General Sport: Strava, RunGap, Pacer, Nike RUN Club & Training,
MyFitnesspal
• Gym: Smartgym, Gymaholic, GYM & Freelitcs, Flexi, Hussle, Strong
• Health & Sleep: Pillow, HeartWatch, SleepWatch, Welltory
• Summer Sports: RunKeeper, Road & Mountain Bike, iSkate, Bike
Tracks, SpeedTracker, CycleMeter, FitMeter Bike, Crono, Altimeter
• Winter Sports: Ullr & Ullr Maps, Squaw alpine, Snow forecast,
SnocRu, Slopes, Skitude, SkiTracks, Ski AR, Jolly Turns, Riders, Fatmap,
Avalanche
• Workouts: Workouts++, Running, Gymatic, Gymnotize, Muscle
Booster, Fitness buddy, Centr, Body weight, Asan Rebel, Training
(Adidas, Runtastic)
DOWNLOADS W/O RESTRICTIONS.
PUBLIC DATA, BACKUP ACROSS CLOUDS

SLEEPWATCH: ROADBIKE, PACER: SKITUDE: RIDER LIST

SLEEP & HEART MOUNTAIN BIKE: WORKOUTS, AND THEIR TRACKS
DATA IMAGES ON CDN HEATH & GPS
SLEEPWATCH – DETAILS

• Analytics, 3rd party sdk – Google, Facebook,

• Network
• Surveys, pdf report with strong auth without
publicly available data unless developer
credentials from AWS S3 leaks
• https://sleepwatch-
backend.bodymatter.io/report/pdf?report_i
d=xxxx
• Daily tracked sleep data
SLEEPWATCH – DETAILS

• Analytics, 3rd party sdk – Google, Facebook,

• No useful backup data
• Documents\data\*.json – Apple Watch model, last ~5 sleep
records (timeframe only)
• Body profile -
\Library\Preferences\io.bodymatter.SleepWatch.plist
ROAD BIKE, MOUNTAIN BIKE –
DETAILS
• Analytics, 3rd party sdk – Google, Facebook, Flurry
• Network
• Basic info, Cloudfront’ed images
• General and details of tracks
• Video not analyzed
• Examples are on next slides
ROAD BIKE, MOUNTAIN BIKE – DETAILS

GPS Data: longitude, latitude, altitude, accuracy, distanceInMeter,

upward/downward (meters), timestamp local, timestamp gps

Session Data: timestamp (start, end), distance, duration, avg & max
speed, upward/downward, heartZone values (need special device)

Speed Data: timestamp, speed, duration, distance

User Data: email, password, weight, height, gender, name, birthday

DOCUMENTS\DATABASE.SQLITE3
Where to search data (tables):
 GPS & location
 HeartRate (requires special devices)
 Session Data, Speed, User Data

 Location and geo snapshots -

Documents\MapOpenCycleMap.sqlite
 User info - Documents\database.sqlite3
PACER – DETAILS

• Analytics, 3rd party sdk – Google, Facebook, Flurry, Mopub,

Appsflyer, Crashlytics, Amplitude, AWS ads
• Network
• Profile data, device data, geo data,
• Data mainly stored on AWS S3 as backup files
• Workout plan & progression
• MinutelyActivityLog, DailyActivity, HeartLog
• GPS Route logs and indoor routes
• Examples are on next slides
PACER
PACER – DETAILS

• Analytics, 3rd party sdk – Google, Facebook, Flurry,

Mopub, Appsflyer, Crashlytics, Amplitude, AWS ads
• No useful backup data
• \Shared\AppDomainGroup-
group.cc.pacer.shareddata\Library\Preferences\group.cc
.pacer.shareddata.plist
SKITUDE – DETAILS

• Analytics, 3rd party sdk – Google, Facebook, Crashlytics

• Network
• Credentials + token, basic info
• Rider list with name, photo and their tracks stored on AWS per
resort you’re searched for
• User DB – not analyzed
• Examples are on next slides
SKITUDE – DETAILS

• Analytics, 3rd party sdk – Google, Facebook, Crashlytics

• No useful backup data
• Tracks & Images - Documents\skitude_tracking.db &
skitude_images.db
• Friends - FFData.db
• Avatar – avatar.jpg
• May also contains separate photos, videos, audio and temp data
from Apple Watch
• Examples are on next slides
SKITUDE – DETAILS
SHARING YOUR DATA. LEAKING OUT
OF HEALTH APP

INTER-ACCESS: DISCOVERING IDS: TRANSFERRING: NOT CLEANING:

GYMAHOLIC, MUSCLE BOOSTER WELLTORY GYMNOTIZE
WELLTORY,
FATMAP,
CYCLEMETER
SECURE APPS. NO DATA, NO ISSUES
• No backup data, no network data
• Speed tracker, Altimeter
• Workouts++, Gymatic, Flexi, Hussle, & Smart gym, BodyWeight
• Squaw alpine, JollyTurns, Avalance
• No network data
• Pillow, SleepWatch
• Cyclemeter, FitmeterBike, Crono
• Muscle Booster
• No backup data
• Pacer, GYM & Freelitcs, Gymnotize, Centr
• Ullr & Maps, Snow Forecast, Slopes
OVERLOADED APPS

ROAD BIKE, MOUNTAIN ULLR & MAPS, SNOW ISKATE, SKITRACKS,

BIKE, ISKATE, BIKE FORECAST, SLOPES, FITNESS BUDDY, CENTR,
TRACKS, CYCLEMETER, SKITUDE, SKITRACKS, RUNKEEPER
FITMETER BIKE, FATMAP, RIDERS, FATMAP, FITNESS
RUNNING, WELLTORY, BUDDY, CENTR,
RUNKEEPER WELLTORT
ANALYTICS & SDK – 16 APPS – 50
• Google, Facebook, Crashlytics, io.branch • Strava, RunGap, Pacer, Nike RUN Club&
Training, MyFitnesspal
• Flurry, Mopub, Appsflyer, Amplitude, AWS
ads • Smartgym, Gymaholic, GYM & Freelitcs,
Flexi
• NewRelic, Localytics, Zendesk, MixPanel
• Hussle, Strong
• AppAnex, Twitter, OneSignal
• Pillow, HeartWatch, SleepWatch, Welltory

• RunKeeper, Road & Mountain Bike, iSkate,

AMOUNT OF DATA WASTED ON
Bike Tracks, SpeedTracker, CycleMeter,
ANALYTICS MODULES
FitMeter Bike, Crono, Altimeter
• Reduced from 0.5 TB per year down to 0.063 TB
• Ullr & Ullr Maps, Squaw alpine, Snow
• 1 hour: 0.59  0.06
forecast, SnocRu, Slopes, Skitude, SkiTracks,
• 1 day: 1.76  0.18 Ski AR, Jolly Turns, Riders, Fatmap,
• 1 week: 12.30  1.23 Avalanche

• 1 month: 52.73  5.27 • Workouts++, Running, Gymatic, Gymnotize,

• 1 year: 632.81  63.28
Muscle Booster, Fitness buddy, Centr, Body
weight, Asan Rebel, Training (Adidas,
Runtastic)
 Total, GB
700.00

632.81

600.00

500.00

400.00

316.41

300.00

200.00

100.00
63.28
52.73
26.37
12.30
0.06 0.29 0.59 0.18 0.88 1.76 1.23 6.15 5.27
0.00
1 hour 1 day 1 week 1 month 1 year
Low, GB 0.06 0.18 1.23 5.27 63.28
Medium, GB 0.29 0.88 6.15 26.37 316.41
High, GB 0.59 1.76 12.30 52.73 632.81
 Workouts++
HeartWatch
Smartgym
Ski AR
Ullr Maps
FitMeter Bike
SleepWatch
Jolly Turns
Slopes
Altimeter
CycleMeter
Mountain Bike
Hussle
Centr
Squaw alpine
Strong
GYM & Freelitcs
Nike RUN Club
Muscle Booster
RunKeeper
Pillow
Training (Adidas, Runtastic)
SnocRu
Fatmap
MyFitnesspal
0 1 2 3 4 5 6 7 8 9
EXTENDED SLIDES. APPS’ DETAILS

• Here you find details and examples of 50 analyzed

apps divided into several groups and directly referred to
amount of data can be downloaded from developers’
websites sometimes without credentials
GENERAL SPORT CATEGORY

• Strava,
• RunGap,
• Pacer,
• Nike RUN Club & Training,
• MyFitnesspal
STRAVA

Google, Network data is Credentials, Sport gear Mainly keep on

Crashlytics, protected from profile and measures if it strava servers
Facebook, MITM measures exists
Zendesk,
io.branch

Geo data in Zendesk UserID Photos taken by

backups & Token users on
+ Basic profile CloudFront
STRAVA – DETAILS

• Analytics, 3rd party sdk – Google, Crashlytics, Facebook,

Zendesk, io.branch
• Network:
• Traffic is generally protected by certificate (Pinning), however
developer API doesn’t have it as a built-in feature
• Protected credentials, profile and measures related to runs, walking
stats sync but aren’t correctly incorporated to overall stats (not
supported over years)
• Gear measures if it exists
• Mainly keep on strava servers
STRAVA – DETAILS

• Geo Route details Documents\*.stravactivity

• wp: lat:55.899412; long:37.575460; hacc:64.000000;
vacc:63.175690; alt:187.060074; speed:4.348559;
course:124.105452; t:1554864639.673529;
dt:1554864639.612675

• Zendesk UserID & Token

• \Library\Preferences\com.zendesk.core.identity.plist
STRAVA – DETAILS

• Photos taken by users

• \Library\Preferences\ com.strava.stravaride.plist

• + basic bio
• Full Name + email
RUNGAP – DETAILS

• Analytics, 3rd party sdk – Google, Facebook,

• Network
• Dropbox support to exchange & store data – highly detailed
files with a source info
• Some general activities data is available but mainly transfer as
zipped files

• Examples are on next slides

RUNGAP – DETAILS

• Analytics, 3rd party sdk – Google, Facebook,

• Backup data:
• Activity – Raw data with geo and activity type
• LAP – similar data items like above
• Thumbimage – route with a map background
• Also Mapfingerprint, path, raw data tables contains
raw data
PACER – DETAILS

• Analytics, 3rd party sdk – Google, Facebook, Flurry, Mopub,

Appsflyer, Crashlytics, Amplitude, AWS ads
• Network
• Profile data, device data, geo data,
• Data mainly stored on AWS S3 as backup files
• Workout plan & progression
• MinutelyActivityLog, DailyActivity, HeartLog
• GPS Route logs and indoor routes

• Examples are on next slides

PACER
PACER – DETAILS

• Analytics, 3rd party sdk – Google, Facebook, Flurry,

Mopub, Appsflyer, Crashlytics, Amplitude, AWS ads
• Backup data
• \Shared\AppDomainGroup-
group.cc.pacer.shareddata\Library\Preferences\group.cc
.pacer.shareddata.plist
NIKE RUN CLUB & TRAINING

• Analytics, 3rd party sdk – Google, Facebook, NewRelic,

own
• No useful local data, many data is bound to Nike shoes
• Network – basic profile, achievement, shoes activity,
tracks & geo
• Data mainly stored on Nike servers
• Credentials weren’t caught
MYFITNESSPAL

• Analytics, 3rd party sdk – Google, Facebook, Amplitude,

Zendesk, Mopub, AWS, Crashlytics, io.branch
• Network
• No credentials (encrypted one is used)
• Profile info + avatar from cloudfront
• Body measures, timeline activity, messages

• Examples on next slides

MYFITNESSPAL
MYFITNESSPAL
User profile Pics  com.myfitnesspal.android/cache/Picasso-cache
User profile Pics /sdcard/

/data/data/com.myfitnesspal.android/databases/myfitnesspal.db
Documents\maindb.sqlite
 User details including time zone, gender, date of birth and email
- in tables <user_properties, users> - see a pic
 User profile pictures - in table <images>
 User personal notes - in table <diary_notes>
 User records of exercises, food habits and personal measurements - in tables
<exercise_entries; exercises; food_entries; foods; measurement_types;
measurements>
 User last synched items with the server - in table <last_sync_pointers>
 User food search history - in table <search_history>
 Examples on next slides
MYFITNESSPAL
User profile Pics  com.myfitnesspal.android/cache/Picasso-cache
User profile Pics /sdcard/

/data/data/com.myfitnesspal.android/databases/myfitnesspal.db
Documents\maindb.sqlite
 User details including time zone, gender, date of birth and email
- in tables <user_properties, users> - see a pic
 User profile pictures - in table <images>
 User personal notes - in table <diary_notes>
 User records of exercises, food habits and personal measurements - in tables <exercise_entries;
exercises; food_entries; foods; measurement_types; measurements>
 User last synched items with the server - in table <last_sync_pointers>
 User food search history - in table <search_history>
GYM SPORT CATEGORY

• Smartgym,
• Gymaholic,
• GYM & Freelitcs,
• Flexi,
• Hussle,
• Strong
SMARTGYM

• Analytics, 3rd party sdk – Flurry

• No useful backup data
• No useful network data
GYMAHOLIC

• Analytics and 3rd party SDKs – Google,

Twitter, Localytics
• Backup Data:
• Strava & runkeeper tokens in
\Library\Preferences\mportal.Gymaholic.plist
• Details per a training plan + calories
\Documents\gymaholic.sqlite

• Network
• Credentials, even Stava credentials were
caught in plaintext that usually never happens
• General workout data after payment is done
 GYM & FREELITCS

• Analytics, 3rd party sdk – Google, Facebook, Crashlytics,

Appsflyer
• Backup data
• Basic info : Full Name, email, gender, body measures in plist files
of \Documents\ folder

• Network
• Credentials, workout plan, paid option, messages, selected
coach, progress
FLEXI

• Analytics, 3rd party sdk – Google, Facebook, Crashlytics,

io.branch
• No useful backup data
• No useful network data
HUSSLE

• Analytics, 3rd party sdk – Google, Facebook, Crashlytics

• No useful backup data
• No useful network data
STRONG
• Analytics, 3rd party sdk – Google, Facebook, Crashlytics, io.branch
• Network
• Credentials, general profile data + public url of avatar stored on AWS S3
• https://strong-
prod.s3.amazonaws.com/7d4dc7d03a7d5a9b964c1ef8f0951a99_3028C
9B3-412A-4501-AEA2-8FA26D1B2B58.jpg

• Analytics, 3rd party sdk – Google, Facebook, Crashlytics, io.branch

• Backup data
• Training details & Measures, including basic user info in
\Documents\Strong4.sqlite

• Examples on next slides

STRONG
HEALTH SPORT CATEGORY

• Pillow,
• HeartWatch,
• SleepWatch,
• Welltory
PILLOW
• Analytics, 3rd party sdk – Google, Crashlytics, Mixpanel, Flurry,
Appsflyer
• Backup Data
• Sleep details & raw data - \Library\Application
Support\PillowSleepData.sqlite
• Diagram of the last month \Shared\AppDomainGroup-
group.com.neybox.Pillow\Library\Preferences\group.com.neybox.Pillow.plist
• No useful network data
HEARTWATCH

• No analytics, 3rd party sdk

• No network data checked
• Backup data
• \Library\Preferences\com.tantsissa.Heartbeat.plist
• \HeartWatch\Documents\YYYYMMDDSleep.txt,
YYYYMMDDDetails.txt, YYYYMMDDWorkout.txt,
YYYYMMDDSummary.txt
• Examples on next slides
HEARTWATCH

• No analytics, 3rd party sdk

• No network data checked
• No useful backup data
• \Library\Preferences\com.tantsissa.Heartbeat.plist
• \HeartWatch\Documents\YYYYMMDDSleep.txt,
YYYYMMDDDetails.txt, YYYYMMDDWorkout.txt,
YYYYMMDDSummary.txt
SLEEPWATCH

• Analytics, 3rd party sdk – Google,

Facebook,
• Network
• Surveys, pdf report with strong
auth without publicly available
data unless developer credentials
from AWS S3 leaks
• https://sleepwatch-
backend.bodymatter.io/report/pd
f?report_id=xxxx
• Daily tracked sleep data
SLEEPWATCH

• Analytics, 3rd party sdk – Google, Facebook,

• Backup data
• Documents\data\*.json – Apple Watch model, last ~5 sleep
records (timeframe only)
• Body profile -
\Library\Preferences\io.bodymatter.SleepWatch.plist
WELLTORY

• Analytics, 3rd party sdk – Google, Facebook, Crashlytics,

Appsflyer, io.branch
• Network
• Credentials, avatar, dailys tracks & surveys,
• Health data from AppleHealth is transferring out of sandbox
• List of connected sources (health providers)
• Source credentials if allowed
• Examples on next slides
WELLTORY

• Analytics, 3rd party sdk – Google, Facebook, Crashlytics,

Appsflyer, io.branch
• Network
• Credentials, avatar, dailys tracks & surveys,
• Health data from AppleHealth is transferring out of sandbox
• List of connected sources (health providers)
• Source credentials if allowed
 WELLTORY
• Backup Data
• Logs – AWS keys, useful to download routes from AWS S3
• GEO data
• Route Tracker
• Place = Documents\journeyLogs\YYYYMMDD.log [backup]
• /var/mobile/Containers/Data/Application/6DDA7D12-451B-432D-9865-
0777D6A7B4BA/Documents/journeyLogs/YYYYMMDD.log [out of backup]
• ),run_in_foreground:0,meta_user_enabled:0,allow_inaccurate_stationaries:0,trip_timeout:0,crash_detection_spee
d_check:0,required_location_providers:(null),crash_detection_config:(null),sdk_logs_aws_credentials:TSENTAWSCr
edentials(access_key:"AKIATQGKZ2IE4PE5YR5C",secret_key:"1/szK855FgeqBP8W2f9oB3SBbHcr8Bh2zd07Gcor
",shard_key:"80",endpoint:"amazonaws.com",region:"eu-west-1",bucket_name:"sentiance-u1-sdk-
logs"),fake_location:(null),payload_submission_category:{

• SLC: 55.898896, 37.586948 (65.000000m) at 21/10/2019 5:56:05 AM Accuracy:65.000000

• Location will trigger unconfirmed moving state. Location: <+55.89889586,+37.58694751> +/- 65.00m (speed
-1.00 mps / course -1.00) @ 21.10.2019, 8:56:05 AM Moscow Standard Time. Region: CLCircularRegion
(identifier:'SENTGeofenceRegionStationary', center:<+55.90087891,+37.57366085>, radius:50.00m)
 WELLTORY
• Analytics & 3rd party sdk – Crashlytics, Google,
intercom-chat
• Backup Data
• Library\UserProfile\avatar.jpeg
• AWS keys
• Place = Documents\SentFiles\configurationDir\config.bin
• Documents\SentFiles\deviceInfoDir\deviceinfo.bin
 WELLTORY
• Backup Data
• \Documents\com.SENTModel.sqlite
• Raw logs, Raw sensor data – not analyzed yet
• Library\Application Support\com.welltory.client\*.json
• Third-party sport & health apps config to import into welltory
• Library\PrivateDocuments\io.intercom.ios\Identity.icm
SUMMER SPORT CATEGORY

• RunKeeper,
• Road & Mountain Bike,
• iSkate, Bike Tracks,
• SpeedTracker,
• CycleMeter,
• FitMeter Bike,
• Crono,
• Altimeter
RUNKEEPER

• Analytics, 3rd party sdk – Google, Facebook, Amplitude,

Crashlytics, Appsflyer
• Network
• Shoes data, Public profile image url, general data + birthday,
geo, weight tracking
• No creds found?

• Examples on next slides

RUNKEEPER
RUNKEEPER

• Analytics, 3rd party sdk – Google, Facebook, Amplitude,

Crashlytics
• Backup data
• cachedMapImages – tracking with rare mapping backround
• \Library\Preferences\RunKeeperPro.plist
• Public profile https://profile-
pic.runkeeper.com/57cQPVW3UyFNn1KrKIsQLzUn_norm.jpg
• \Library\Preferences\group.com.runkeeper.tracking.plist
• Birthday, Name, email, country
• \Documents\RunKeeper.sqlite = Raw data of
• Feed: Name, Profile Image URL, distance, duration
• History: Activity type, time, date, Calories,
• Points: Lat.,Long.,Alt, distance
• Trips list
• Trip_settings: list of userWeight, activity, userID
• Weight history: list of weight & date
~30 mHEALTH APPS
RUNKEEPER
 User profile Pics / fitnesskeeper.runkeeper.pro /cache/Picasso-cache
/ fitnesskeeper.runkeeper.pro /databases/RunKeeper.sqlite
 User details including activities, trips
 Trips deleted by user - in table <deleted_trips>
 Activities posted by user - in table <feed>
 List of user’s friends - in table <friends>
 Images uploaded during trips by user - in table <status_updates>
 User settings for each trip - in table <trip_settings>
 Places visited during all the trips - in table <points>
 Information about each trip - in table <trips>

 More tables
 The points table is to locate the map coordinates of a user’s route
ROAD BIKE, MOUNTAIN BIKE –
DETAILS
• Analytics, 3rd party sdk – Google, Facebook, Flurry
• Network
• Basic info, Cloudfront’ed images
• General and details of tracks
• Video not analyzed

• Examples are on next slides

ROAD BIKE, MOUNTAIN BIKE – DETAILS

GPS Data: longitude, latitude, altitude, accuracy, distanceInMeter,

upward/downward (meters), timestamp local, timestamp gps

Session Data: timestamp (start, end), distance, duration, avg & max
speed, upward/downward, heartZone values (need special device)

Speed Data: timestamp, speed, duration, distance

User Data: email, password, weight, height, gender, name, birthday

DOCUMENTS\DATABASE.SQLITE3
Where to search data (tables):
 GPS & location
 HeartRate (requires special devices)
 Session Data, Speed, User Data

 Location and geo snapshots -

Documents\MapOpenCycleMap.sqlite
 User info - Documents\database.sqlite3
ISKATE

• Analytics or 3rd party SDKs – Facebook, Flurry, Appsflyer,

Crashlytics
• Network
• Maps, received email, basic profile, routes, Credentials
ISKATE
• No analytics or 3rd party
SDKs
• Backup data
• Map & routes + 2d map
• \Documents
• Credentials in
[\Library\Preferences\iSkate
.plist]
• Trip measures in
[\Shared\AppDomainGroup-
group.com.valleydevteam.spo
rtsgroup.iSkate\Library\Pref
erences\group.com.valleydev
team.sportsgroup.iSkate.plist]
ISKATE

• No analytics or 3rd party SDKs

• No useful backup data
• Map & routes + 2d map
• \Documents
• Credentials in [\Library\Preferences\iSkate.plist]
• Trip measures in [\Shared\AppDomainGroup-
group.com.valleydevteam.sportsgroup.iSkate\Library\Preferen
ces\group.com.valleydevteam.sportsgroup.iSkate.plist]
BIKE TRACKS
• Analytics, 3rd party sdk –
Google, Facebook,
• Network
• Credentials, activities &
track detail in zipped json
files
BIKE TRACKS

• Analytics, 3rd party sdk –

Google, Facebook,
• Backup data
• Tracklist in
[\Library\Preference\com.c
orecoders.BikeTracks.plist]
• Track details & photos in
\Documents\Routes or Trash
SPEED TRACKER

• Analytics, 3rd party sdk – Google, Facebook, AppAnex

(GPS/Car Tracker, DVR cameras)
• No useful backup data
• No useful network data
CYCLEMETER

• Analytics, 3rd party sdk –

Google, Facebook, Crashlytics
• Backup data
• \Documents\Meter.db – highly
detailed runs + MyFitnessPal
token

• Network
• No credentials are required
• General profile, geo + nearest
valuable place, like airport

• Examples on next slides

FITMETER BIKE

• Analytics, 3rd party sdk – Google, Facebook

• No useful network data
• Backup data
• \Documents\CycleComputer.sqlite
CRONO

• Analytics, 3rd party sdk – Google, Facebook, io.branch

• No useful network data
• Backup data
• \Shared\AppDomainGroup-group.de.j-gessner.Crono – basic
track details, geo, elevation, altitude
ALTIMETER

• Analytics, 3rd party sdk – Google, Twitter, Facebook

• No useful network data
• No useful backup data
WINTER SPORT CATEGORY

• Ullr & Ullr Maps, • Ski AR,

• Squaw alpine, • Jolly Turns,
• Snow forecast, • Riders,
• SnocRu, • Fatmap,
• Slopes, • Avalanche
• Skitude,
• SkiTracks,
ULLR

• Analytics, 3rd party sdk - Googe,

Facebook
• No useful data in backup data
• Network:
• Credentials + token
• Near located parks + park searches
SQUAW ALPINE

• Analytics, 3rd party sdk –

Google, Facebook, OneSignal
(push deliver system), Twitter
• No useful backup data
• Network
• Name, Email, no password is
required, resortInfo, nearest geo
SNOW FORECAST

• Analytics, 3rd party sdk – Google, Facebook, OneSignal

• No useful backup data
• Network:
• Credentials + token
• Name & geo Place alerts by a token
SNOCRU

• Analytics, 3rd party sdk – Google,

Facebook, Twitter, Crashlytics, Appslyer,
io.branch
• No useful backup data
• Network
• Basic profile, credentials, CRU info, activities,
resorts & nearest places
SLOPES

• Analytics, 3rd party sdk – Google, Facebook, Crashlytics

• No useful backup data
• Network credentials + avatar
SKITUDE – DETAILS

• Analytics, 3rd party sdk – Google, Facebook, Crashlytics

• Network
• Credentials + token, basic info
• Rider list with name, photo and their tracks stored on AWS per
resort you’re searched for
• User DB – not analyzed

• Examples are on next slides

SKITUDE – DETAILS

• Analytics, 3rd party sdk – Google, Facebook, Crashlytics

• Backup data
• Tracks & Images - Documents\skitude_tracking.db &
skitude_images.db
• Friends - FFData.db
• Avatar – avatar.jpg
• May also contains separate photos, videos, audio and temp data
from Apple Watch
• Examples are on next slides
SKITUDE – DETAILS
SKI TRACKS

• Analytics, 3rd party sdk – Google, Facebook,

• Network
• Credentials only
SKI TRACKS

• Analytics, 3rd party sdk – Google, Facebook,

• Backup data
• Track list, activity type, email = \Library\Preferences\
com.corecoders.SkiTracks.plist
• Track details = \Library\SkiTracks\Tracks\Track00000.ski\
• Event.xml
• Segment.csv
• Track.xml

• Examples on next slides

SKI AR

• Analytics, 3rd party sdk – Google, Facebook,

• No useful backup data
• Except photo, graph, model data of mountains

• Network
• Credentials + a hash as a token
RIDERS

• Analytics, 3rd party sdk – Google, Amplitude, Flurry,

io.branch, MixPanel, Newrelic
• No useful backup data
• Network
• Credentials, Level & skills, Photo, Profile Info, Rider’s photos

• Examples on next slides

"photo":
"http://ucarecdn.com/b7e14a7e-641f-4a64-
9b35-16295b4c9bd9/-/quality/lighter/-
/sharp/3/",
RIDERS

• Analytics, 3rd party sdk – Google, Amplitude, Flurry,

io.branch, MixPanel, Newrelic
• No useful backup data
• Network
• Credentials, Level & skills, Photo, Profile Info, Rider’s
photos
"photo":
"http://ucarecdn.com/b7e14a7e-641f-4a64-
9b35-16295b4c9bd9/-/quality/lighter/-
/sharp/3/",
JOLLYTURNS

• Analytics, 3rd party sdk – Google, Facebook, Crashlytics

• No useful backup data
• Network:
• No credentials are required to use it. Signing via Google,
Facebook, or Microsoft account (rarely)
• General resort info + non-resizable map

• Examples on next slides

JOLLYTURNS

• Analytics, 3rd party sdk – Google, Facebook, Crashlytics

• No useful backup data
• Network: No credentials are required to use it. Signing
via Google, Facebook, or Microsoft account (rarely)
• General resort info + non-resizable map
FATMAP

• Analytics, 3rd party sdk – Google, Facebook,

io.branch, Appsflyer, Mixpanel, Flurry, Crashlytics
• Backup data
• \Documents\user_geo_json_341083.json – use geo
data
• \Documents\RCTAsyncLocalStorage_V1\manifest.json
– resort details

• Network
• Credentials & account info
• Also use a Strava account, however an account token
is stored out of backup
AVALANCHE

• No Analytics, 3rd party sdk

• No useful backup data
• Full name & email
• Network – no useful network data
WORKOUTS SPORT CATEGORY

• Workouts++,
• Running,
• Gymatic,
• Gymnotize,
• Muscle Booster,
• Fitness buddy,
• Centr,
• Body weight,
• Asan Rebel, Training (Adidas, Runtastic)
WORKOUT++

• No analytics & 3rd party sdk

• No local data in backups
• No network data
RUNNING

• Analytics, 3rd party sdk – Google, Facebook, Crashlytics,

Twitter, Mopub,
• Backup Data
• \Shared\AppDomainGroup-
group.com.grinasys.runningforweightlosspro\state.archive – basic
workout progress & general measures
• \Documents\*.sqlite – details training & measures

• No useful network data until paid?

GYMATIC

• Analytics, 3rd party sdk – Google, Facebook, Flurry,

Crashlytics
• No useful backup data
• No useful network data
GYMNOTIZE
• Analytics, 3rd party sdk – Facebook
• No useful network data
• Backup Data
• iCloud stored data
• \Documents\CoreDataUbiquitySupport\mobile~A0A01221-82A6-4647-8965-
3072588EEB84\persistentStore_ICLOUD\B71A3BF1-A6F3-4405-B3AF-
EDD12321A4E8\store\persistentStore_ICLOUD
• Also Documents\persistentStore_LOCAL & persistentStore_SEED contains training data incl. username
MUSCLE BOOSTER
• Analytics, 3rd party sdk – Google, Facebook,
Amplitude, Crashlytics, Appsflyer,
• Backup Data
• Video & Audio tracks of watched training plan -
\Documents\Downloads\*
• Plus, URLs in file
[\Library\Preferences\com.musclebooster.plist]
• User info
• {"name":"Yury Chemerkin
","goal":"muscle_gain","weight":88.23,"is_paid":false,"
user_id":"87564","units":"metric","workouts_completion
":{"total_completed":0,"target":28},"height":184,"fitnes
s_level":"advanced","date_of_birth":"1988-06-05
00:00:00","is_trial":false,"gender":"male","email":"Yur
y.chemerkin@gmail.com"}

• Network
• No credentials if no premium account, goals, body
measures, workout plan + audio & video content
FITNESS BUDDY

• Analytics, 3rd party sdk – Google,

Facebook, Crashlytics, io.branch,
Appsflyer, Mopub, Flurry
• No useful backup data
• Basic info : Full Name, email, gender,
birthday, body measures in json & plist files
of \Library\ folder
• Network
• profile info, avatar, ‘stolen’ facebook ID
• Goal, body measures, credentials
CENTR

• Analytics, 3rd party sdk – Google, Facebook,

Crashlytics, Appsflyer
• No useful backup data
• Network
• credentials + token, workout plan after premium with
details of exercises done
BODY WEIGHT

• Analytics, 3rd party sdk – Google, Facebook,

• No useful backup data
• No useful network data
ASAN REBEL

• Analytics, 3rd party sdk – Google,

Crashlytics, Amplitude, Facebook, Flurry
• Network
• Profile info, device & environment details,
Credentials, Music preferences, workout
general data
• Avatar on AWS publicly available
https://rebelyoga-production-frankfurt.s3.eu-
central-1.amazonaws.com/0dd3dcf8-dfc3-
4508-8931-23da6c5982a3/440B20D6-
E9A0-4194-A6DD-7CCAE58709C1.jpg
ASAN REBEL

• Analytics, 3rd party sdk – Google, Crashlytics, Amplitude,

Facebook, Flurry
• Backup data
• Device details, basic bio & body measures -
\Library\Preferences\com.asanayoga.asanarebel.plist
• Downloaded content (text, video, etc.) in
\Documents\Downloads\*
ADIDAS TRAINING (RUNTASTIC)

• Analytics, 3rd party sdk – Google, Twitter, Facebook, Flurry,

mopub, io.branch
• Backup data
• Avatar in \Shared\AppDomainGroup-
group.com.runtastic.results.lite\Library\Preferences\group.com.runta
stic.results.lite.plist
• Network
• credentials, Avatar, basic info, body measures
• Examples on next slides
ADIDAS TRAINING (RUNTASTIC)
BREAKING SMART.
HACKING HEALTH, WEARABLE AND
SMART APPS TO PREVENT LEAKING
YURY CHEMERKIN
SEND A MAIL TO: YURY.S@CHEMERKIN.COM

HOW TO CONTACT ME ?
ADD ME IN LINKEDIN:
HTTPS://WWW.LINKEDIN.COM/IN/YURYCHEMERKIN