gms | German Medical Science

64. Jahrestagung der Deutschen Gesellschaft für Medizinische Informatik, Biometrie und Epidemiologie e. V. (GMDS)

Deutsche Gesellschaft für Medizinische Informatik, Biometrie und Epidemiologie

08. - 11.09.2019, Dortmund

Analysing Fitness Tracker Apps Data Transmission Behaviour

Meeting Abstract

Suche in Medline nach

  • Maryna Khvastova - Hochschule für Technik und Wirtschaft Berlin, Centrum für biomedizinische Bild- und Informationsbearbeitung, Berlin, Germany
  • Michael Witt - Hochschule für Technik und Wirtschaft Berlin, Centrum für biomedizinische Bild- und Informationsbearbeitung, Berlin, Germany
  • Dagmar Krefting - Hochschule für Technik und Wirtschaft, Berlin, Germany

Deutsche Gesellschaft für Medizinische Informatik, Biometrie und Epidemiologie. 64. Jahrestagung der Deutschen Gesellschaft für Medizinische Informatik, Biometrie und Epidemiologie e.V. (GMDS). Dortmund, 08.-11.09.2019. Düsseldorf: German Medical Science GMS Publishing House; 2019. DocAbstr. 104

doi: 10.3205/19gmds079, urn:nbn:de:0183-19gmds0798

Veröffentlicht: 6. September 2019

© 2019 Khvastova et al.
Dieser Artikel ist ein Open-Access-Artikel und steht unter den Lizenzbedingungen der Creative Commons Attribution 4.0 License (Namensnennung). Lizenz-Angaben siehe



Introduction: Fitness trackers are increasingly used worldwide since the last five years [1]. People track their physical activity and body functions [2] to aim for a healthier lifestyle and body [3], [4]. However, collected data contains sensitive personal information that needs to be protected [5], [6], [7], [3], [4], [8], [9]. As these personal health measures are now ubiquitous and easy to produce, there is increasing interest in such systems integrated into medical care and may drastically change the health insurance system.

We present an overview about the data collected by selected fitness tracking applications and evaluate their behavior as well as compliance before and after the GDPR became effective.

Methods: The following models were chosen with appropriate applications: Fitbit Charge (Fitbit App), Xiaomi Mi Band 2 (Mi Fit App), Mpow (VeryFit 2.0 App), Polar Loop (Flow App), Huawei Honor Band 3 (Huawei Wear App). The application tests were conducted on Android and iOS devices. To evaluate the data that was synchronised between host device and app the Man-in-the-Middle test was performed with the help of Mitmproxy toolkit ( The Privacy Policy of each manufacturer was analyzed regarding agreement with the transferred data.

Results: All apps gather information about host and mobile settings by default. This includes International Mobile Equipment Identity (IMEI), mobile brand, model, OS version, system type, cookies, user agent information (for example, iPad, iOS 12.0, Scale/2.00), app name and version, country, language, time zone, and unique app token. They all establish connections with multiple servers that are hosted in manufacturer country. All apps use transport encryption, except Mpow, that uses an unknown end-to-end encoding. Analyzing tools such as Mixpanel ( are present in the Fitbit App and Google Analytics ( in the Flow App that collect usage data of the application and also personal data such as user session ID, events (app actions, trainings), and duration of the events. All tested applications, except Huawei Wear, store personal information on remote servers (weight, age, profile picture, date of birth, name, e-mail, gender, trainings and nutrition logs). Fitbit, Polar, Mpow and Xiaomi transfer more data than mentioned in their privacy policy. The connection with Xiaomi servers is active in background. Huawei Honor Band 2 has GDPR-compliant security settings and saves data only locally on the device. The only connection observed was to during usage of the app. Only general device information such as device name and operating system are transferred.

Discussion: The experiment shows that for most of the examined devices compliance with data protection according to Federal Data Protection Act (BDSG) and EU-GDPR is not given. Information about personal data collection (Art. 13 GDPR) is missing and most apps incorporate Google and Facebook SDKs tracking. Custom security settings in Apps are poor or missing completely.

The test shows that there are many apps gather the user’s personal data and personal profile can be created.

The authors declare that they have no competing interests.

The authors declare that an ethics committee vote is not required.


Statista. Wearables - Absatz weltweit bis 2018. [Accessed: 2019 Mar 18]. Available from: Externer Link
Kaewkannate K, Kim S. A comparison of wearable fitness devices. BMC public health. 2016 Dec;16(1):433.
Bender CG, Hoffstot JC, Combs BT, Hooshangi S, Cappos J. Measuring the fitness of fitness trackers. In: 2017 IEEE Sensors Applications Symposium (SAS); 2017 Mar 13-15; Glassboro, NJ. Piscataway, NJ: IEEE; 2017. p. 1-6.
Goyal R, Dragoni N, Spognardi A. Mind the tracker you wear: a security analysis of wearable health trackers. In: Proceedings of the 31st Annual ACM Symposium on Applied Computing; 2016 Apr 4-8; Pisa, Italy. New York, NY: ACM; 2016. p. 131-136.
Classen J, Wegemer D, Patras P, Spink T, Hollick M. Anatomy of a vulnerable fitness tracking system: Dissecting the fitbit cloud, app, and firmware. Proceedings of the ACM on Interactive, Mobile, Wearable and Ubiquitous Technologies. 2018 Mar 26;2(1):5.
Mendoza F, Alonso L, López A, Cabarcos PA. Assessment of Fitness Tracker Security: A Case of Study. Proceedings. 2018;2(19):1235.
Fereidooni H, Frassetto T, Miettinen M, Sadeghi AR, Conti M. Fitness trackers: fit for health but unfit for security and privacy. In: 2017 IEEE/ACM International Conference on Connected Health: Applications, Systems and Engineering Technologies (CHASE); 2017 Jul 17; Philadelphia, PA. Piscataway, NJ: IEEE; 2017. p. 19-24.
Quandt R. Samsung will Fitbit & Co. mit neuen Fitness-Armbändern an den Kragen. [Accessed: 16 July 2019]. Available from:,107522.html Externer Link
Zhou W, Piramuthu S. Security/privacy of wearable fitness tracking IoT devices. In: 2014 9th Iberian Conference on Information Systems and Technologies (CISTI); 2014 Jun 18-21; Barcelona, Spain. Piscataway, NJ: IEEE; 2014. p. 1-5.