The Garmin vívofit 3 is a fitness tracker with one-year battery life including activity detection. It is more of a beginner’s market product but offers many features. The level of security and privacy of the product was tested in our fitness tracker test.
For the initial connection between App and vívofit 3 it was necessary to enter a PIN which was displayed on the fitness tracker.
Further Bluetooth communication between the two is invisible, data transmission cannot be viewed by other Bluetooth-capable devices. Information about the communication process was collected with the help of Android-internal tools, which speaks for a good protection of the Bluetooth connection.
During the registration process, few data, such as profile pictures, are downloaded via an HTTP connection. Apart from this, every communication is TLS1.2-encrypted and thus protected against simple man-in-the-middle attacks.
According to static analysis, the Garmin Connect App does not have any obvious weak points, furthermore all data of the app is saved in the protected app area. The app is also well obfuscated, making it difficult for attackers to reverse-engineer its functionality. By implementing certificate pinning, the app would also be protected against attacks that would require the attacker to install a CA certificate on the owner’s device. This is necessary, for example, for reading and manipulating encrypted communication in a man-in-the-middle attack. Apps usually only validate the validity of the certificate. With certificate pinning, however, it is also checked whether the known public key matches that of the certificate. If this is not the case, communication is terminated – regardless of whether the certificate is trusted in the first instance.
Users resident in the European Union are entitled to access their stored data in accordance with the General Data Protection Regulation (GDPR), which can be done in the Account Management Center.
Garmin vívofit 3 and its app are well protected in both its Bluetooth and cloud connectivity. In terms of app, there is room for improvement, but this did not have a negative effect on the rating. We can also make a clear recommendation with regard to privacy.