Defence experts warn of fitness tracker risks in Singapore military bases amid global Strava breaches
The Ministry of Defence says it is aware of the risks and will implement security measures when needed.
Singapore's military installations can be seen on Strava's global heatmap, such as Sungei Gedong Camp (left) and Changi Naval Base (right).
This audio is generated by an AI tool.
SINGAPORE: Fitness tracking apps like Strava could pose security risks in Singapore's military bases – not by revealing their locations, but by exposing the daily routines and movement patterns of personnel inside, defence observers have warned.
Their caution comes as a series of high-profile breaches overseas have put such apps under scrutiny. In March, a French aircraft carrier had its exact location revealed after an officer onboard logged a run on Strava. Earlier this month, British soldiers gave away their positions inside one of their country's most sensitive nuclear bases by posting their runs on the app.
A check by CNA showed that paths within military installations here, including Sungei Gedong Camp, Changi Naval Base and Sembawang Air Base, appear on Strava's global heatmap.
In a highly urbanised and compact environment like Singapore, many military installations are already generally known or inferable from open sources, said Associate Professor Razwana Begum, head of global security and strategy at the Singapore University of Social Sciences.
The real danger, she said, lies elsewhere.
“In Singapore, the risk is not primarily about revealing locations, but about exposing patterns and behaviours within and around installations,” she said.
NO ADDED SECURITY RISKS: MINDEF
The Ministry of Defence (MINDEF) said it is aware of the risks and will act when needed.
In response to questions from CNA, a spokesman said that the ministry and the Singapore Armed Forces (SAF) are "mindful that the technology for fitness trackers evolves with the addition of more sophisticated tools".
“We are monitoring these developments and will, when required, institute appropriate measures to maintain the security of operations and training,” said the spokesman.
MINDEF said it had conducted a risk assessment of fitness tracking devices on the market, concluding that in a city-state like Singapore, information derived from such devices could also be obtained from other open sources and did not pose added security risks.
However, the spokesman noted that specific instances locally and overseas require restrictions to maintain operational and information security.
“These measures include the mandatory safekeeping of such devices at designated storage areas prior to the conduct of sensitive or classified operations or training to prevent the transmission of information,” he said.
Beyond such restrictions, fitness trackers and apps are permitted on military premises as they help servicemen keep fit, monitor exercise intensity and pace, and improve safety outcomes, the spokesman added.
Servicemen told CNA that Strava remains widely used in military bases here. A full-time national serviceman posted to an airbase said no formal orders have been issued against using the app onsite, though servicemen are advised against it – and told to keep posts private if they do use it.
A national serviceman who does his reservist in an army base said most servicemen are not worried about security risks in using the app, with a sense that military areas in Singapore are already marked and known. Unlike rules governing camera phones, no formal guidelines govern the use of fitness tracking apps such as Strava, he said.
EXPOSING BROADER PATTERNS
Most modern militaries, including the SAF, have settled on risk-managed use rather than outright bans of fitness tracking apps, said Mr Ridzwan Rahmat, principal defence analyst at defence consultancy Janes.
Restrictions are typically imposed during classified or sensitive exercises, overseas operations or training where movement patterns could matter operationally, he added.
Still, experts said that risks should not be dismissed. "Pattern-of-life exposure" such as repeated runs, walks and patrols can reveal daily routines and frequency of movement – and pinpoint frequently used internal roads, facility perimeters and routine movement areas inside an installation, said Mr Ridzwan.
“Publicly available data can reveal patterns of life such as the number of personnel in an area, their activity level, and fitness profile that may seem harmless as an individual data set,” said defence observer David Boey, a former member of MINDEF’s Advisory Council on Community Relations in Defence.
“However, such data can represent another piece of the jigsaw that observers compile for a more complete picture of activities inside a military installation.”
Taken as a whole, such open-source intelligence can be exploited by hostile intelligence services and potential terror threats, said Dr Ong Weichong from the S Rajaratnam School of International Studies' National Security Studies Programme.
Assoc Prof Razwana added that potential adversaries – including terrorist, extremist and organised crime groups – may exploit such insights to identify security vulnerabilities.
Mr Boey pointed to Jemaah Islamiyah, which conducted reconnaissance here over two decades ago using far simpler tools.
“Their videos of possible targets pre-dated today’s social media channels and lifestyle apps, whose reach and pervasiveness are likely to be obvious to like-minded non-state actors who may be mulling similar actions,” he said.
Mr Ridzwan acknowledged that Singapore's context differs materially, with most military installations already visible and well-mapped via open-source imagery – but cautioned that "low risk" does not mean "no risk".
Singapore should keep its guard up, particularly given the "prevailing global geopolitical situation", Mr Boey added.
WHAT CAN SERVICEMEN DO
Servicemen have a role to play in using such apps responsibly, observers said.
Assoc Prof Razwana said they should adopt a privacy-by-default approach: setting activities to private, using features that hide start and end points, and disabling GPS and geolocation services to prevent automatic syncing of activity data.
Mr Ridzwan added that servicemen should avoid naming posts, sharing photos or making comments that could identify or link them to their work locations.
Assoc Prof Razwana also agreed with MINDEF's approach of continuously assessing emerging technologies, including wearables and AI tracking tools, and updating policies accordingly.
The SAF Digital and Intelligence Service’s Open Source Unit is believed to actively monitor the SAF’s online footprint around the clock, said Mr Boey.
“These cyber defenders would help MINDEF/SAF detect, track and localise instances when Strava-type situations may compromise Singapore’s security posture. Digital forensics can then recommend follow-on action to plug any leaks,” he said.
Mr Boey noted that some SAF personnel appear to have scenic running routes – through forested areas on the eastern side of Paya Lebar Air Base and along the breakwater at Changi Naval Base – that are visible on Strava heatmaps.
That photos of such routes have not surfaced via unsanctioned channels suggests personnel are broadly aware of digital dos and don'ts, he said.
Still, Strava's social dimension may work against good security habits.
“It is not intuitive to set activities to ‘Only me’ when the device or app is meant to showcase development or progress in certain activities and affirmation from others necessary to sustain the habit or activity,” said Assoc Prof Razwana.
