The Fitify Fiasco: Unpacking 138K Private Progress Photos, 206K Profile Photos & Hardcoded App Secrets

Welcome to Upwardly Mobile! In today's episode, we dive deep into the recent massive data leak involving the popular iOS fitness app, Fitify, affecting over 25 million users globally. We'll explore the critical security vulnerabilities exposed and discuss how adherence to standards like OWASP MASVS and advanced solutions like Approov can protect your mobile apps and user data. The Fitify Fiasco: The Cybernews research team recently uncovered a significant data breach with Fitify, a widely used iOS fitness app. Their investigation revealed that 373,000 sensitive user files, including a staggering 138,000 progress photos, were stored in a publicly accessible Google Cloud bucket. Critically, these files lacked password protection or encryption at rest, meaning anyone could access them. Many of these exposed "progress pictures" and "body scans" were taken with minimal clothing to better showcase body changes, making the exposure highly sensitive for users tracking weight loss or muscle growth. Other leaked data included 206,000 user profile photos, 13,000 AI coach message attachments (which may include images or text), and 6,000 body scan files, including photos and AI-generated metadata (e.g., lean mass, body fat, posture). The leak was discovered on May 7th, 2025, and after Cybernews contacted the company, Fitify Workouts s.r.o. closed the unprotected instance on June 9th, 2025. Security Gaps Highlighted: Despite Fitify's Google App Store description clearly stating that "data is encrypted in transit", Cybernews found a severe lack of basic access controls, which poses serious privacy risks. The fact that user data could be accessed without any passwords or keys demonstrated that it was not encrypted at rest. Furthermore, researchers discovered hardcoded secrets embedded directly within the app's code. These included Google API and Client IDs, Firebase database URLs, Facebook tokens (such as Facebook App ID and Client Token), and even an Algolia API key, which was notably not disclosed in Fitify's privacy policy. These exposed credentials could potentially enable attackers to access backend infrastructure, impersonate users, or inject malicious content. This issue is not isolated; Cybernews's broader research found that 71% of 156,000 iOS apps analyzed leak at least one secret, with an average of 5.2 secrets per app. Understanding Mobile App Security with OWASP MASVS: This incident underscores the importance of adhering to robust mobile application security standards like the OWASP Mobile Application Security Verification Standard (MASVS). MASVS serves as an industry standard and a comprehensive framework for mobile software architects, developers, and security testers to ensure the development of secure mobile applications. It categorizes security controls into various groups:

• MASVS-STORAGE: Addresses the secure storage of sensitive data on a device (data-at-rest), a critical area directly violated by the Fitify leak.
• MASVS-NETWORK: Focuses on secure network communication between the mobile app and remote endpoints (data-in-transit). While Fitify claimed encryption in transit, the publicly accessible bucket points to fundamental network security misconfigurations in data storage.
• MASVS-CODE: Covers security best practices for data processing and keeping the app up-to-date, directly related to the problem of hardcoded secrets and securing credentials.
• MASVS-PRIVACY: Aims to protect user privacy, which was severely compromised in this breach due to the sensitive nature of the leaked progress photos.

The OWASP Mobile Top 10 risks also highlight prevalent issues in mobile app security, such as static reverse engineering (ranked 9th) and code tampering (ranked 8th), which are common techniques used by attackers to uncover hardcoded secrets and manipulate app behavior. Shielding Your App: Solutions with Approov: The Fitify leak demonstrates the critical need for advanced mobile app and API protection beyond basic security measures. Approov offers a runtime shielding solution that effectively protects mobile apps, their APIs, and the communication channel between them from automated attacks. Approov works by using a cryptographically signed "Approov token" to allow the app to provide proof of its authenticity, ensuring that only a genuine, untampered mobile app running in an uncompromised environment can access your APIs. Key Approov capabilities relevant to preventing such leaks and attacks include:

• Runtime Secrets Protection: This feature allows hardcoded API keys and other sensitive secrets to be removed directly from the app's code and instead securely managed in the Approov cloud. These secrets are only delivered to verified, legitimate app instances at runtime. This directly addresses the hardcoded secrets vulnerability found in Fiti