As the demand for consumer wearables, including smart bands and fitness trackers, is rising, serious concerns over data privacy and security issues are coming into the spotlight. Despite the extensive interaction, users are rarely aware of when and what data are shared on the internet, by their smart devices, as well as completely unaware of the fact that their data being stored and resold is a common practice. Personal data are a digital, easy to resell, product, and users seem to be in agreement with the idea that all their internet activity is constantly being monitored. For advertisers, data collected in such large quantities, enables targeting the right audience, in the right place, at the right time, with the right message. This brings to the surface considerable data protection risks. Creating huge volumes of data makes data management one of the most critical challenges for IoT infrastructures. As fragmentation across the many IoT actors grows, so does the importance of data laws, regulations, and policies [1
]. The legal framework of General Data Protection Regulation (GDPR) entered into force in 2016 after passing the European Parliament, and, as of May 25 2018, all organizations are required to be compliant. Privacy and data protection have always been a priority for the European Union’s law policy, thus the European Commission began adjusting its policies, to gradually develop the GDPR framework (Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the Protection of Natural Persons with Regard to the Processing of Personal Data and on the Free Movement of Such Data, and Repealing Directive 95/46/EC (General Data Protection Regulation) https://eur-lex.europa.eu/eli/reg/2016/679/oj
(accessed on 26 June 2021)). In order to protect privacy and establish consent from a data subject in every case, it includes strict rules on the basis of the following seven principles:
The EU-GDPR supports all legal process activities in order to create a balanced and simplified regulatory environment, for both European Union businesses and citizens. An important aspect of the new regulation is the way personal data is defined, being considered as a person’s valuable asset. The new legislation is on track with technological advancements, such as Internet of Things (IoT) and Big Data paradigms, for which data collection and analysis are of the utmost importance. It aims to cover all aspects, by strongly considering technical terms, such as the internet protocol (IP) addresses, location data, and other attributes, that can be used to identify an individual. Protecting fundamental human rights and ensuring citizens’ privacy in a holistic way has always been a driving force for the legal frameworks developed by the associated European Union’s committees and GDPR is considered the most priority in all means for those rights when it comes to the digital world. In order to keep pace with the technological advancements that are rapidly adopted by citizens globally, the European Union acted decisively and rigorously over the most important issues uncovered by the IoT era, including the ubiquitous privacy challenges of the casual wearables’ usage.
Modern wearable devices are tiny, inexpensive, consume little power, and offer continuous monitoring and measurement of the users’ physical and physiological status. Referring to miniaturized electronic devices that are incorporated into different types of accessories and clothing, “wearables” can be attached to the user’s body and collect a great amount of helpful but often sensitive information [2
]. The various and innovative opportunities that wearable technology offers, led to the quick and global adoption of smart devices and tracking bands by the general population, as well as by many manufacturing companies that use wearables as hands-free guidance tools in order to improve productivity [3
]. As hardware components become smaller and power sources become more efficient, the development of multifunctional wearable devices has emerged into a significant consumer market, which is expected to reach USD 150 billion by 2027, with a compound annual growth rate of 20.5% since 2020 [4
In this work, we focus on smartwatches and fitness trackers that are the most popular due to mobility and connectivity capabilities [5
]. Smartwatches and fitness wristbands are continuously connected to each user’s mobile device and use a large variety of sensors and modules, including microphones, GPS trackers, accelerometers, cameras, and more, in order to ease the access to data and offer important information, alerts, or even recommendations to them [6
]. Although usage of such devices has spread widely as a part of everyday lifestyle, and aims to improve individuals’ wellbeing, it entails several personal data privacy concerns [7
]. New practices, paradigms, and technologies are raising the questions that this study focuses on answering:
Is data privacy and security established for the popular wearable devices in the new, GDPR, era?
What are the privacy risks that users may encounter using fitness tracking applications, smart devices, and wearable technology?
In order to answer the above questions, an overview of past research on security and privacy vulnerability issues, as well as real time analysis of the data transmitted by wearable devices, through widely used fitness tracking applications, was required. By monitoring such apps and comparing the results with the literature’s findings, potential risks, as well as their severity, can be identified and addressed in the future, in order to enhance security and ensure privacy. In order to answer the above research questions, privacy and security issues were examined for the activity tracking applications: Xiaomi Mi Fit, Samsung Health, Shenzhen, FitPro, Huawei Health, and Sony Lifelog. Through a man-in-the-middle attack, data collected by the above applications were monitored and further examined. These devices were selected due to their popularity, as well as the variety of existing research on them. For instance, Xiaomi Mi band and the associated application Mi Fit has been examined and was characterized as a “secure by design” device, although many weaknesses have been found in the Mi Fit Software [8
]. Huawei Health has also been a matter of research [9
] and although some advertising packets were found to be transmitted to third party providers, the fact that Huawei Watch is using the number comparison mode, one of the Bluetooth pairing modes, results in the inability to passive eavesdrop, making it impossible to intercept network traffic between the device and the application.
For the purpose of this study, all the hardware access requests granted were recorded, listed, and evaluated according to the potential risks and vulnerabilities stated in the literature [10
]. Vulnerability is defined as a weakness that can be exploited by one or more threats or a flaw in a system’s design, implementation, or operation and management that could be exploited. Data collected and stored in IoT devices may hold sensitive information, bringing to the surface security threats and known exploits of current IoT infrastructures [13
]. As networked devices grow more common, so are cyber-attacks. The fundamental right to digital privacy is defined by the General Data Protection Regulation (GDPR), which brings the users’ concerns over sensitive data to the surface and aims to act as an opportunity to ensure trust in the new technological era. The regulation affects any company or organization that processes data of citizens based in Europe and is focusing on the protection of any person’s sensitive data. Despite being under research and discussion for a long time [14
], privacy and security issues related to wearable devices and mobile technologies are a constantly transforming field, which is still current and open to research worldwide. As the adoption of wearable devices expands constantly, the number of devices connected on IoT is rising, together with the data exchanged by them. Since the data recorded may vary from fitness activity statistics to sensitive health records [15
], ensuring users about security is more crucial than ever.
2. Personal Data and Privacy in the GDPR Era
Personal data are defined as all the information concerning a living natural person, who has been identified or can be identified both directly and indirectly. Common personal data examples are a person’s name, age, occupation, genetic, mental, economic, cultural, or social identity, relationship status, location, racial origin, religion, political or philosophical views, and health information. Each one of the above-mentioned personal data types, is handled differently and is subject to different legal framework [16
], thus GDPR is strongly considering topics around the use of the most sensitive ones.
Sensitive personal data include racial or ethnic origin, political views, religious or philosophical beliefs, membership in organizations, health information, social security and personal preferences, and criminal prosecution information. Privacy refers to all the parameters concerning a natural person’s private life and is of broad sense, while the term “personal data” focuses on the specific parameters that can be used to identify an individual through the processing of finite information. Personal data may be used in order to control, monitor, evaluate, classify, manage, provide, serve, or protect public interest or the service of a superior legal interest. This information and its processing have certain quality characteristics and are subject to restrictions. These do not apply in the case of privacy which is considered as a permanent situation. A noticeable distinction is underlying on the existence of three elements:
These elements are crucial for the discrimination between personal data breaches and privacy compromising. The term “processing” covers a wide range of operations performed on data, either manually or by automated means. It includes the collection, registration, organization, structure, adaptation or alteration, retrieval, usage, disclosure by transmission, dissemination or any other form of disposal, association or combination of personal data. The General Regulation on Data Protection (GDPR) applies to both full and partial processing of personal data.
What is important about the EU-GDPR, is the fact that it applies to all companies and entities established in the European Union that process personal data as part of their activities, regardless of the location that the data are processed, as well as to any companies established outside the European Union, monitoring the individual users’ behavior in the European Union. Although the legal framework applies to all the stated companies, small and medium sized enterprises that do not process data as their main activity, are not due to some obligations, such as the appointment of a data protection officer (DPO). Additionally, companies that do not specifically target their services or goods to individuals in the European Union, are not subject to the rules of GDPR.
Since smart devices and social networking platforms have become part of everyday life globally, sharing of personal data has become a prerequisite for the use of most digital applications and services. Following the new technological trends, users share sensitive personal data, including their biometric features, as the cost of easier access through their mobile devices and personal computers. Sensitive personal data, such as phone number, address, bank accounts, IP, VAT, and ID card numbers, are used to complete a profile, with behavioral data, consumer preferences, political beliefs, spatial and temporal choices, or even biometric or biochemical characteristics which are collected and must somehow be protected and secured. Although, users are becoming more concerned towards any electronic transaction that requires disclosure of their personal information, there are many cases of companies offering services under vague policies.
As in real world incidents, where privacy and security may be considered as inviolable principles, online privacy issues are of the exact same importance. However, when it comes to online networks, the process of collecting personal information is not always obvious. In most cases, the collection of personal data is performed “quietly”, based on the user’s traces left behind, utilizing background mechanisms whose existence and functionality is often ignored or not fully understood by the user.
In this context, concerns are raised over the process of creating user profiles (profiling) by companies, in order to explore consumer needs and adapt advertising marketing to these preferences. In most cases, this is completed by systematically recording and collecting information about the users. This way, although services and applications may be provided free of charge, in fact, data gathered by users’ activity is becoming the real currency, usually to be later bought by third party companies. Although the above, advertising, strategies may not be directly of harm to the user, being able to construct and reveal their identity or even gaining access to specific device functionalities (phone calling, SMS reading, GPS tracking, recording, etc.) and its content (photos, videos, contact list, messages, etc.), without prior notice or approval, is considered as a clear privacy violation.
The published work [17
], proposes a specific target user can be recognized just by processing the walking data collected by their smartphone’s accelerometer and gyroscope signals. This is just to highlight the privacy and security issues that are arising, especially in cases of user profiling and sensitive personal data reselling to third parties, for marketing purposes [18
]. At company and enterprise level, adhering to protection measures can be considered as a compliance indicator but does not guarantee compliance. In order to address all GDPR requirements, organizations processing such data, must follow privacy by design practices and utilize the proper control and information tools to confirm the legitimate interest of the data controller, as well as the unambiguous consents of individuals.
When it comes to wearable computing, data privacy is the most critical and challenging concern [19
], as the collected data can be targeted by cyber attackers and has the potential of exposing users’ sensitive information at risk [20
]. Every modern smartphone is equipped with and using Bluetooth and Wi-Fi modules, which are required for the connection between fitness tracking devices and their applications, but still suffer a variety of vulnerabilities themselves [21
], thus there is a high chance that users’ sensitive data might be leaked without permission. As research indicates (Table 1
), potential risks vary between devices, concluding that there is no health or activity tracking application that can be considered as fully secure [22
]. Sensitive data are considered as one of the most valuable products in the modern, Internet of Things era, since it might lead to financial and legal consequences for the user [23
], bringing the importance of security and privacy to the surface.
4. Security and Privacy Vulnerability Issues in Fitness Tracking Devices
Potential vulnerabilities of popular wearable fitness trackers, as well as the different methodologies to address them, recently are being discussed extensively by researchers, especially in Europe, due to the adoption of GDPR [16
]. As more connected devices are introduced and used to monitor individual users’ physical activities, IoT is rapidly expanding and the quantity, as well as the quality, of security risks for personal data leakage is increasing. Securing devices and developing trusted networks has become a key topic of research [43
]. Major privacy and security implications regarding the usage of wearable fitness tracking devices have been explored, on hardware [44
], firmware [45
] and software [46
] level, as well as by societal scope [47
], indicating information disclosure, subtle data collection and social media connectivity as the most critical concerns for wearable users [41
The key security threats concerning fitness trackers and smartwatches can be categorized as hardware, software, and network sided. Unlike smartwatches, activity trackers are less powerful in terms of computational processing. This makes them more dependent on the device they are connected to and most of the time they work under the operating system of the user’s handheld portable device, inheriting its potential exploits as well. Thus, the vulnerability research can be more focused to the different network attacks and addressed under the wider view of the increasing IoT security challenges, such as user authentication issues. Almost all fitness and activity trackers use Bluetooth, ANT radio, cellular data, and Wi-Fi networks for connectivity purposes. Although the protocols and communications standards used may differ, IoT is open to any available state of the art protocol, covering range to the maximum possible [48
Utilizing the popular features that social networking platforms are offering, these smart devices are often used to motivate users by connecting them online and allowing them to share their activity. Processing the collected geodata (location and ground elevation), those devices create a better user-dependent experience by delivering to them custom personal or community goals [49
]. However, as it is proposed in [50
], the same geodata may be used in order to launch malicious attacks on location privacy, such as location prediction using the activity history, borough prediction based in city knowledge and city prediction with no prior knowledge at all. A tool for analysis was developed in [51
], and a user-based study was conducted, on the privacy risks that arise by exposing the collected data by fitness applications in social networks. The tool aimed to increase awareness and expose complex risks, such as the possibility of social security number extraction, by combining data recorded by fitness devices and shared in social networks. Another research [52
] reported the limitations of users’ knowledge and awareness on the consequences of location sharing (retrieved by wearable devices and processed by fitness apps) through social networks. In other cases [53
], sharing information about the user’s spatiotemporal mobility patterns may be enough to reveal sensitive information, such as their home location.
]. As another research [55
] reported, 12 widely used activity tracking applications, were found to be sharing a huge amount of information about the device and the user to 76 different third parties. That information included the device’s model, screen size, language, and, in some cases, sensitive user information such as gender, geo-location, running routes, sleeping patterns, or even eating habits. It is by no doubt that activity and health tracking applications collect and manage sensitive data by design [56
], therefore the security and privacy requirements defined by data protection laws, such as the General Data Protection Regulation (GDPR) in the EU, as well as security issues from a technological point of view have to be researched.
5. Proposed Work: Experimental Environment and Analysis
In order to identify the existence of such threats on commercial, widely used activity tracking applications, an experimental environment was developed and utilized. Its main scores were to reveal the quality and quantity of information that is accessed and tracked by fitness tracking applications, in wearable devices, with or without the user’s consent.
5.1. Experimental Environment
For the purposes of this work, five fitness tracking applications were examined, suggested by the vendor, each different commercial, widely used, fitness band. Those smart devices and the version of the suggested software that was monitored are given in Table 2
The main aim of the experimental environment was to emulate a man-in-the-middle attack scenario, at already illustrated in detail in Figure 1
, in order to reveal all data transmitted by each application tested. All the applications were installed on a handheld android device Xiaomi Redmi Note 6 Pro, MIUI Global 11.0.4, Android 9 (PKQ1.180904.001) to be later monitored using the application “Lumen Privacy Monitor”, version 2.2.2, as a tool to conduct the experimental analysis [57
Android operating systems use the UID to set up a kernel-level application sandbox, not being able to perform any operations outside it. Since the sandbox is in the kernel, this security model extends to both native code and OS applications. The kernel enforces security between applications and the system at the process level through assigning user and group IDs to them. By default, applications cannot interact with each other and have restricted access to the OS. The sandbox is based on UNIX-style user separation of processes and file permissions. Any installed application that does not have the appropriate default user privileges is prevented from acting malicious (e.g., download software or read another application’s data without permission). The permissions needed by the application in order to access protected parts of the system or other applications are declared in its AndroidManifext XML file, at the root of the project source set. This file is required and describes essential information about the application and its components. Permissions are requested by the applications either during installation, and the AndroidManifest file, or during run-time. Depending on their potential to harm the system and the user, permissions might be classified as of low, mid, or high risk.
Lumen follows the above classification and is currently available only for Android devices, requiring Android version above 4.2. It includes a user-friendly interface, allowing easy access to information about the already installed smart-hone applications. This information includes active connections, which data are being shared, as well as the percentage of traffic spent for advertising and tracking purposes. The main interface displays the three tabs (a) Flows, (b) Leaks, and (c) Apps, as shown in the following Figure 2
Apps: Displays all applications monitored by Lumen, including a detailed report option. Through this interface, the user may view the number of trackers and the overhead caused by the connections each application tried to establish, leaks and traffic overview, and the requested permissions list, including risk assessments for each permission.
Leaks: Lists personal or device information leaked by each application.
Traffic: Leveraging Android’s VPN permission, Lumen captures, analyzes and displays an overview of the network traffic, including encrypted flows, locally on the device and in user-space. It includes information about different connections (including HTTPS), bandwidth, and the overhead caused by that ads and analytics scripts.
“Lumen Privacy Monitor” tool, reads encrypted traffic and is able to determine privacy leaks inflicted by the application. It is developed as part of the Haystack Project by independent academic researchers at Berkeley and IMDEA Networks and has been used by researchers, as indicated by the corresponding literature review [16
]. Some applications leak information to external servers, as well as to advertising networks or other online tracking services that monetize metadata, “Lumen” generates reports about the traffic patterns and the private data collected. It supports TLS interception for the real time identification of applications that leak sensitive information over encrypted traffic. It enables finding and reporting of applications that leak private data over the network, as well as third-party organizations collecting them. In a man-in-the-middle-attack, the intruder redirects traffic between the user and the communication gateway. The common way to hijack is by signaling out a Wi-Fi network using a combination of techniques known as ARP spoofing and SSL stripping. The secure socket layer (SSL) header and hypertext transfer protocol (HTTP) packet generated at the application layer (Layer 7 on OSI model) of a computer are attached to the data being transferred for security.
Lumen runs locally on the user’s device as a middleware between applications and the network interface in order to intercept traffic, being able emulate a “Man-In-The-Middle-Attack” (Figure 2
) and detect leaks including software and hardware identifiers such as the Android ID, a permanent 64 bit long randomly generated number, and the Google Advertising ID, a unique 32 character anonymous string format universally unique identifier (UUID). Lumen takes advantage of Android’s VPN permission to route transmitted packets through a process running in user-space, implementing a simplified layer-3/4 network stack. Running locally on the phone, its observes crucial application context, device status, user-related information and network traffic associated with user activities and intercepts encrypted traffic via local TLS proxy. Combining the above information allows Lumen to detect privacy leaks and provide unprecedented visibility for characterizing mobile traffic and performance security.
5.2. Experimental Results and Analysis
We evaluated five different fitness tracking wearable devices’ recommended applications, using Lumen Privacy Monitor as a tool to emulate a forced man-in-the-middle attack, in order to examine underlying tracking activity, privacy leaks, permissions access, and the total communication overhead caused by advertisements, analytics scripts, and connections. Each one of the devices and applications was used for one year time, (equal to 52 weeks’ time), and finally the results were expanded and scaled to one week level, in order the related comparisons to be more understandable, and the data volume was equally divided by the factor of total weeks 52 (equal to one year’s time).
All five applications collect location and personal identifiers and connect via Bluetooth without any authentication. Higher number of trackers and overhead indicates greater amounts of data collected from users, thus lower privacy. As the number of permissions required increases, higher are the chances that security is compromised, and the user’s information and data control may be easily accessed by a third person. Network, as captured by Lumen, is shown in Figure 3
The domains can be identified by the “Lumen Privacy Monitor” tool, as advertising or tracking services while the rest of them may be further investigated using external and online tools, aiming to analyze user data from trackers. As an example, we refer the one offered by “whotracks.me”, for the domain “samsung.com”, which was listed by “Lumen Privacy Monitor”, on the Samsung Health app (Figure 4
). As the listed results indicate (Table 3
), all the fitness tracking applications examined, are using such services, although the total network overhead is not immediately affected depending on the number of the domains. For example, in the case of Sony Lifelog app, although only 2 tracking domains were found, and the data volume is low (460 kb), the total network overhead was 100%, highlighting a large amount of resources used in the network (e.g., bandwidth, energy, memory, time).
According to the experiment’s results, presented in Table 4
, in Huawei Health application, two privacy leaks were detected (connectivity settings and build fingerprint). Although both of the detected leaks are classified as low risk by Lumen, when combined with other leaked data, they can reveal a lot of information about the users’ id and behavior. All of the applications make use of at least one advertising tracker, which in some cases highly impacts the total network overhead (Sony Lifelog and Huawei Health). As indicated by the domains’ list, Samsung Health uses Google Analytics, while Xiaomi Mi Fit and Shenzhen FitPro use Facebook Analytics.
As previously mentioned, the requested permissions, Lumen’s results, are separated into high, medium, and low risk level threats. Experimental results for the different categories of risks are visualized as shown in Figure 2
. Figure 5
presents the number of high risk permissions requested per app. These permissions include geolocation data access, internal and external phone storage (read and write permissions as well), device state read, permission, phone call dialing and answering, access to the list of accounts in device’s accounts service, audio recording access and camera access. Medium risk levels include pairing through Bluetooth, accessing network state and notification policy and more functionalities, such as vibrating, alarm setting, and modifying audio settings. The most critical 13 high risk threats monitored, are given in Table 5
Although in all applications’ privacy policies collecting data for user experience enhancement purposes is clearly stated, the reasons behind granting permissions over camera control, audio recording, or even SMS access and phone calls are still vague. There is no doubt that users have to be totally aware before granting access to device modules that may leak sensitive personal data. In order to be considered as secure and GDPR compliant, privacy and security must be addressed by design and activity tracking applications must ensure the following principles:
Unlinkability: All personal data collected should be anonymous and never combined with other information that may be used to reveal the user’s identity.
Transparency: Data processing should be completed only under the applications’, clearly stated and specific, purpose. Users’ whose data are being processed must be fully aware of the tracking before, after, as well as at the moment it is happening.
Intervenability: Users should constantly have the option of applying corrective measures or even fully withdrawing their consent of granting permission to data accessing and processing.
The above principles are critical when it comes to accessing information by embedded sensors, such as cameras and microphones, since they can be used to capture data concerning not only the individual user, but their surroundings as well. The experimental results, showcasing the many different permissions granted to the applications, combined with the results of the literature review conducted, raise serious issues on the users’ data privacy. There is a high risk that sensitive or confidential data might leak without the users’ consent. Even secondary device modules that do not require special user permissions, such as gyroscopes and accelerometers, might be utilized as a medium to eavesdrop conversations without consent [59
] or, when combined, reveal sensitive health states, such as having a seizure [60
Advertising trackers were reported in all of the devices, but only 2 out of the 5 devices reported high overhead (Mi Fit: 49.7%, Lifelog: 100%). An overhead of that high percentage means that higher number of resources will being used. This indicates the potential waste of bandwidth, memory, and energy as well. Since energy consumption is considered one of the most significant factors in IoT, overhead should never negatively impact sensors and communications. What has also to be mentioned, is that the number of trackers is not related to the overhead outcome. Although all the measured applications embed 1 to 2 trackers, the overhead differs greatly.
As the reported traffic and flows of all thee five applications indicate, there is no application ensuring sensitive user data disclosure. Considering both the literature and this work’s experimental results, sharing user data with subsidiaries and third parties by commercial applications does not seem to be the exception, but rather the norm. Although all the examined applications required the user’s approval in order to be granted permission to the functions and data of the device, the number of permissions required.
Although, according to the tracking domains, the applications examined collect information in order to deliver an optimized experience through customized recommendations and targeted advertising, requiring access to sensitive data and specific device functionalities, such as the camera or the phone calls dialing, is considered as a high risk and might strongly affect users’ trust. Commercial applications may not intend to harm the device they are installed on, but third-party applications might potentially exploit vulnerabilities. Of course, access to device information, such as location, is reasoned for all fitness tracking applications, since it is required to record and optimize data delivered to the user. However, as shown in Table 5
, requests for information regarding the smartphone’s state (asked by 4 out of 5 applications), record audio using microphone (Shenzhen FitPro and Huawei Health), dial and answer phone calls (Xiaomi Mi Fit and Huawei Health), or even read and send messages (Shenzhen FitPro), raise concerns about data privacy inconsistencies.
], in order to manage and adapt information, as well as to limit or permanently deny data sharing.
As a matter of fact, software and privacy policies are frequently updated, meaning that the above results might differ depending on the current version. Thus, further and continuous research must be conducted. The examined applications might also be investigated using network traffic simulation tools [62
]. Lumen states that it can analyze both encrypted and non-encrypted flow, analysis and evaluation utilizing other tools and environments, in order to find and analyze exceptions, is recommended as a topic of further research. Such scenarios can include software, such as mitmproxy, Jpcap library, TI SmartRF Packet Sniffer, or Wireshark, in order to track encrypted and non-encrypted network traffic, and compare results. This study examined a finite and limited number of activity tracking applications. Following research may focus on the monitoring of even more applications, as well as comparing the results between different smartphone devices or even different operating systems. Establishing secure network communications is also important in the IoT context and as encryption methods are further researched and new schemes are proposed, their adoption by manufacturers is crucial, in order to provide a secure environment. For instance, ensuring privacy for users’ sensitive data, might include image encryption achieved through the synchronization of chaotic artificial neurons [63
] or authenticated Hash functions with chaotic maps [64
What has to be mentioned, considering the limitations of this research, is that the experimental scenario of this study, was oriented on testing, using the same Android device. Since the results might vary between different devices, operating systems, or even their versions, further, in-depth, research needs to be carried out, in order to identify any other underlying privacy risks, both on software and hardware level of commercial activity and fitness trackers. Further research might also focus detecting and highlighting such issues, in order to purpose resolving actions, as well as to encounter personal data breaches and cases of General Data Protection Regulation (GDPR) infringement.