As a well-known manufacturer in the field of fitness and health gadgets, Polar was a must in our large fitness tracker test. For the test we have selected the A370 as the representative. In past tests, Polar’s products have always been convincing in terms of security – The following test report will clarify whether this is also the case for the model tested this time.
The Polar Flow application (fi.polar.polarflow, version 3.6.5) was investigated. During the static analysis of the app, indications were found of possible weak points in the implementation of SSL-secured communication. On closer inspection, however, it became apparent that these vulnerabilities do exist, but only in third-party code modules, which are practically not used by the app for communication. According to our analysis, however, the implementation used is free of obvious weak points and can therefore be classified as adequately secure.
The source code itself is not obscured by obfuscation and thus makes reverse engineering relatively easy even for less experienced attempts. However, this alone is of course not in itself a weak point.
Furthermore, all user data such as mail, account name, password and the like are stored unencrypted in the app folder. Access to this folder is controlled and restricted by the Android system so that no other application can read it, but when using a smartphone with root privileges this can be exploited. But we can hardly see this as a weak point either.
Local communication via Bluetooth has always been a strength of Polar devices in previous tests. An exclusive pairing between tracker and app on smartphone, triggered by hardware actuation on the tracker and pin confirmation on the smartphone ensures a secure announcement of the devices. Data synchronization is encrypted and can only be performed upon explicit instruction from the user – connection to the A370 is not possible without pressing the corresponding button on the tracker. That’s all you can ask for at this point. Very good!
The Polar product combination is also exemplary in terms of communication between the application and the cloud – registration and synchronization with polarremote.com are completely encrypted and our standard man-in-the-middle attacks also provided no indication of any weak points or security holes. Overall, we cannot see any reason for criticism on this point.
Change date as well as a versioning are available, but the link to earlier versions of the data protection declaration still refers to the imprint of the Polar website.
Collected personal data is clearly stated and is used in anonymous form in research and product development as well as for statistics. If data is transferred to non-EU countries, these transfers are based on the EU-US or Swiss-US data protection shield. Before important data such as heart rate data are processed, special permission is obtained to collect and store them.