Over the weekend some friends suggested, I should post the story about the Runtastic privacy bug in English. So, let’s see what happens.
For the last 3 years I was using Runtastic as my running app. I do marathons on a low level and the app had everything I needed (except for tagging the shoes). Especially helpful is the option to import and export the data. Furthermore as a German I liked the idea of an Austrian startup.
I even became a Gold member. Soon after the first doubts popped up in my mind. I saw again and again discount campaigns for the premium program. Also I was annoyed by so many upselling banners in the app. If I pay for a software I want to be left alone and not attacked by aggressive advertising. Then Runtastic was sold to German media conglomerate Axel Springer, a company with a rather doubtful image in Germany.
And now this: I run a digital consultancy and shortly before my vacation in late October, we got a new client. Besides strategic work we run their Twitter account for them. And suddenly Runtastic posted my run on this clients‘ account. I never typed in the password to this account on Twitter, I was never asked permission by Runtastic to use this account.
Looking on the app it’s not even possible to easily cut the connection between Runtastic and Twitter.
I also wondered: Why didn’t I notice that there is such a connection? The answer was easy: Before this incident, Runtastic posted on another account, which I hadn’t used for a long, long time. The only account it didn’t use was my main one for which I made the connection many moons ago. After some days of thought I realised: It never posted on this main account – so I thought, the connection to Runtastic didn’t work and I forgot about it.
So Runtastic was posting on two accounts for which it neither explicitly had a password nor a permission. It changed the accounts without noticing me.
I contacted the support and got a rather cryptic response:
„Unfortunately you can only set up one account, it’s always the first in the Twitter list which is generated automatically and can’t be changed.“
Twitter list? Which Twitter list? I replied:
„… this can’t be right. The account mentioned was started as the last one. Which means: The preferences weren’t changed by me. And what is a ,Twitter list‘?“
„…What I wanted to add is, that this is a known problem and our developers are working on it.
Should you have any further questions, please feel free to contact us.“
A KNOWN problem?
Since when? And why is there no warning for users?
Runtastic CEO Florian Gschwandtner, asked by digital strategist Björn Kaas, gave us an insight on what Runtastic is doing:
@bang1000 Ist nicht richtig so, da wir nur Accounts nehmen, die der User über iOS direkt authentifiziert. Somit is das ein gültiger Account
— Florian Gschwandtner (@f_gschwandtner) 24. November 2014
„This (blog article) is not correct, as we only use accounts that the user has authentified over iOS. With this it’s a valid account.“
Which means: It grabs permission from iOS to use all accounts. But obviously it’s not possible to determine, which account it will post on – not even for Runtastic themselves. It’s just posting randomly on any account that is connected via iOS.
I call this a major privacy and data security bug. Runtastic knows about it and does nothing to inform their users.