The Medion Life S3600 is a fitness tracker bracelet that can track the sleep of the user in addition to various sport modes including pedometer and heart rate measurement. We had already put the S2000 fitness tracker on the security test bench in 2018. Time to take a closer look at the current model of the German electronics company.
Medion, one of the largest PC manufacturers in Europe, is not only active in the computer and consumer electronics sector. The company, which is closely associated with ALDI, has also been present in the eHealth sector for several years and sells inexpensive wearables in this area, which, at least in our comparative test, did not have to hide from more expensive competitors.
Setup
When opening the app for the first time, the user can choose whether or not to create a Medion user account. If he decides against it, all data recorded by the device will remain on the owner’s smartphone.
If no smartphone is connected, the S3600 is automatically ready for pairing. After it is found by the app, the touch button must be pressed for several seconds during the pairing process.
App
The static analysis of the Medion Fitness app (version 1.5.4) showed that many third-party modules are integrated into the app. The app permissions seem to be limited to the necessary scope and are also explained in the privacy policy. Some libraries, for example those for Bluetooth communication with the Medion S3600, are obfuscated or outsourced to shared objects, thus effectively complicating the analysis of the functionality by attackers.
Despite the numerous third-party modules, no noteworthy weaknesses could be found in the static analysis. In the dynamic analysis, the communication to the Internet and to the fitness tracker was examined more closely.
Online communication
The online communication of the Medion Fitness App was encrypted throughout the test. Most of the communication goes through Microsoft Azure Germany, but there is also regular communication with Facebook servers.
Bluetooth communication
The Bluetooth communication is protected from prying eyes, the fitness bracelet is switched invisible while it is connected to the smartphone. When the smartphone is out of range, the wristband is visible to any device.
In the test, we recorded the Bluetooth communication between the app and the fitness tracker and subsequently reproduced it from another device. The communication doesn’t seem to be encrypted and always follows fixed patterns. In parts it is protected by the above mentioned authentication, but it was easily possible to reset the pedometer to zero from another smartphone. This was achieved by a replay of recorded values. Furthermore, a connection attempt via a Bluetooth LE scanner was sufficient to break the link between the Medion Fitness app and the tracker. Afterwards, the fitness tracker had to be deleted from the app and reconnected.
Privacy
The privacy policy of the Medion Fitness App (as of 01.07.2020) was not published by Medion on 01 July, but approximately 2 weeks later. Prior to this date, we were able to save the earlier version, as of May 2018. It is questionable whether a privacy policy may be changed retroactively. Since it was improved in some respects, we do not rate this negatively in this case.
The data storage takes place almost exclusively on servers in Germany (Microsoft Azure Germany). If it is necessary to carry out other orders, e.g. registration via Facebook, the necessary data will also be transferred to other countries, possibly outside the European Union.
In its level of detail, the privacy policy should serve as a guideline for other manufacturers. It is exactly specified by Medion which fitness tracker records which data (S3600: steps, distance, calories, heart rate, sleep). The purpose and type of data recording via app permissions are also stated in detail. Furthermore, unlike many other manufacturers, it is not absolutely necessary to create an account.
The only point that we miss in the very detailed privacy policy refers to the trackers integrated into the app. According to Exodus, in addition to Google Firebase Analytics, various Facebook modules are also integrated, the purpose of which is not fully specified.
| TRACKER NAME | URL |
|---|---|
| Facebook Analytics | https://reports.exodus-privacy.eu.org/trackers/66 |
| Facebook Login | https://reports.exodus-privacy.eu.org/trackers/67 |
| Facebook Places | https://reports.exodus-privacy.eu.org/trackers/69 |
| Facebook Share | https://reports.exodus-privacy.eu.org/trackers/70 |
| Google Firebase Analytics | https://reports.exodus-privacy.eu.org/trackers/49 |
Conclusion
The Medion Life S3600 fitness tracker was able to score many points in our test. In the area of privacy, Medion acts exemplary for the most part, but lacks information about integrated trackers. The app’s data transfer to the internet was encrypted at all times, but the Bluetooth communication between app and fitness tracker still offers potential for improvement – Authentication is not fully implemented, and the link between the app and the S3600 can be removed relatively easily.
Previous article 
I have 2 medion s3600 bands and have bought a 3rd for a friend who has no computer how does she charge it
My median s3600 doesn’t even connect to Bluetooth