TomTom markets fitness watches under the name “Spark 3”, which offer additional functions such as GPS tracking, heart rate measurement or a music player. In our test we put the Spark 3 through its paces.
Before the fitness tracker can be connected to the smartphone app, it must first be connected to the PC using the included USB cable. Via the PC software “TomTom Sports Connect” a firmware update of Spark 3 is performed at the beginning, furthermore the account creation and/or registration is carried out here. Both the update and the registration are completely TLS1.2 encrypted.
Bluetooth communication between the App and Spark 3 is well protected, for example PIN authentication is required before data can be synchronised. Furthermore, it is invisible for other Bluetooth-devices if the app is connected.
The TomTom Sports app always communicates TLS1.2-encrypted with TomTom servers in the Netherlands and an analysis service provider in the United States (Crashilytics). After logging into the app, a presumably static Auth token is used to authenticate to the cloud server.
At the time of testing, the App had not validated any certificates for Get-Requests to the TomTom API, so that data, such as the already named Auth Token, could be read along during a man-in-the-middle attack without being noticed. However, this gap was closed at short notice. Now the app is (again) protected against simple man-in-the-middle attacks. After installing the associated CA certificate, however, man-in-the-middle attacks can be crowned with success, since the app itself only checks the validity of the certificate, but not for further data, such as the issuer. Due to the presumably static Auth token that is used for all API queries, the implementation of certificate pinning is suggested here. However, since this type of attack requires direct device access for the certificate installation, this is not rated negatively.
With the “Spark 3” fitness trackers, TomTom provides a secure solution that is also very well positioned in terms of privacy. Therefore, it is rated 3 out of 3 stars.