As an electronics brand of supermarket giant ALDI, Medion naturally also has a fitness tracker in its current product range. As usual for Medion, the S2000 attracts attention with a comparably low price and a quite competitive feature list. The following test report will clarify whether the tracker is also convincing from a security point of view or rather corresponds to the cliché of the cheap discounter product.
In the first step of the analysis, the static analysis, our standard applications failed in the case of the tested Medion application (com.medion.fitness version 1.1.6 build 11600) for this purpose. The reason for this was an unusual structure of the.apk file, which required a completely manual examination. The code areas examined, mainly those responsible for encrypted communication via the Internet, did not reveal any obvious weak points – The often insufficiently implemented certificate validation appears to have been adequately implemented and there are no other serious problems.
During the examination of the local storage, a folder was found on the SD card which is obviously created by the third-party module “VeryFit”. This folder, accessible to any other application, contained detailed logs of many functional areas of the Medion application. These logs contained, among other things, all recorded sleep and fitness data and all user data, such as weight, height, age and gender. We could not directly find account information, such as e-mail addresses or passwords, but even so the amount of information revealed in this way is of course questionable. In addition, a single log on the SD card was identified, which also contains all fitness data with associated time stamps. These logs may still be from the debug phase and were forgotten to remove from the program code before the release. Here, however, improvements should be made in any case.
Local communication via Bluetooth LE proved to be one of the major problems of the Medion S2000 in the test, the biggest weakness being the lack of authentication, which allows any device to connect to the S2000 and initiate data transmission. Even though the S2000 only allows an exclusive connection at a given time and as long as the tracker remains connected to the user’s telephone and it is not possible to establish a connection for another device, the missing authentication is a critical problem nevertheless. At the same time, there is also the lack of encryption during transmission, so that there is also an additional susceptibility to possible eavesdropping by third parties. In this point, therefore, no positive assessment is possible for us.
Update: The problem of missing authentication was fixed in the current hardware revision of the S2000 by implementing a physical confirmation at tracker side before establishing a connection.
When communicating via the Internet, the Medion product does not allow itself any really significant weaknesses. The observed connections were fully adequately encrypted, and our standard man-in-the-middle attacks did not indicate any potential vulnerabilities in this area. So there is no reason for criticism on this point.
Only with the root certificate installed on the smartphone was it possible for us to successfully attack the login. This does not yet lead to a devaluation, but in future it should be upgraded to an adequate, so-called certificate pinning to ensure security even in this scenario.
Like many other manufacturers, Medion has also greatly expanded its data protection declaration for Medion apps and fitness trackers within the scope of the DSGVO. Before the update of the data privacy statement, we had only missed very few details, which have now also been updated. Data processing takes place exclusively in Germany (Microsoft Azure Germany), a transfer to other countries is only performed after explicit consent by the user. Besides Samsung, Medion is the only manufacturer in our fitness tracker test that also allows the use of the app and the fitness tracker without creating an account. In contrast to Samsung, all data remains with Medion however exclusively on the Smartphone of the user, if the registration of an account is waived.
If an account is created at Medion, personal data such as name, e-mail address, height and weight will be requested and fitness data will continue to be transmitted to Medion. These can also be used for marketing purposes, provided that this has not been contradicted. If the Medion Account has not been used for 180 days, all data will be deleted, otherwise the legal storage periods apply.
It is praiseworthy that also the permissions of the Android app are explained in great detail. We still miss this with many other manufacturers.
In our tests, the Medion S2000 delivers a performance that is not error-free, but decent overall. In the area of application security and especially in local communication, there are quite serious construction sites where the manufacturer should definitely make improvements. In the area of data privacy, however, the Medion product is one of the best we have examined here in this test – a truly detailed and exemplary solution is presented here. Also in the area of online communication we could not find any reasons for complaint. Overall, the presentation is sufficient for a solid 2 out of 3 possible stars on our rating scale.