The Fitbit Gallery is a one-stop store for authorised Fitbit apps, like Spotify or Starbucks Card. And whereas Fitbit manually scans all revealed Gallery apps for malware, shareable “non-public” apps don’t get the identical therapy. If somebody emails you a obtain hyperlink for a Fitbit app, ignore it!
Fitbit lets builders add “non-public” apps to the Gallery to aide in testing. Sadly, anybody with a obtain hyperlink can set up a non-public app. Dangerous actors can share a non-public obtain hyperlink to spread data-collecting malware, a risk recognized by Kevin Breen and publicized by BleepingComputer.
Kevin Breen, risk analysis director at Immersive Labs, efficiently uploaded a malicious non-public app to the Gallery and used it to steal GPS location, coronary heart fee, top, and age knowledge from take a look at units. On Android, the malicious app might additionally learn any calendars linked to the Fitbit. Breen might even configure the app to scan and entry community instruments like routers and firewalls, due to the Fitbit fetch API.
Fortunately, Kevin Breen submitted his analysis to the Fitbit firm, which responded by including warnings to personal app downloads. Fitbit additionally plans to opt-out non-public app permissions by default, giving customers the selection to manually present entry to their age, contacts, and different info. As all the time, Fitbit scans Gallery apps for malicious code earlier than they’re revealed to the general public Gallery web page.
Supply: Kevin Breen through BleepingComputer