The Fitbit Gallery offers approved Fitbit apps such as Spotify or Starbucks Card from a single source. While Fitbit manually scans all published Gallery apps for malware, “private” apps that can be shared are not treated equally. If someone emails you a download link for a Fitbit app, ignore it!
Fitbit allows developers to upload “private”
Kevin Breen, director of threat research at Immersive Labs, successfully uploaded a malicious private app to the gallery, using it to steal GPS location, heart rate, altitude and age data from test devices. On Android, the malicious app was also able to read all calendars connected to Fitbit. Thanks to the Fitbit Retrieval API, Breen was even able to configure the app so that network tools like routers and firewalls can be scanned and accessed.
Luckily, Kevin Breen submitted his research to Fitbit, which then added warnings about private app downloads. Fitbit also plans to turn off private app permissions by default so users can manually access their age, contacts, and other information. As always, Fitbit gallery apps scan for malicious code before posting to the public gallery page.
Source: Kevin Breen via BleepingComputer