The Garmin vívofit 3 is a fitness tracker with one-year battery life including activity detection. It is more of a beginner’s market product but offers many features. The level of security and privacy of the product was tested in our fitness tracker test.

Local communication

For the initial connection between App and vívofit 3 it was necessary to enter a PIN which was displayed on the fitness tracker.

Pairing the Garmin fitness-tracker

Further Bluetooth communication between the two is invisible, data transmission cannot be viewed by other Bluetooth-capable devices. Information about the communication process was collected with the help of Android-internal tools, which speaks for a good protection of the Bluetooth connection.

Online communication

Unencrypted download of images

During the registration process, few data, such as profile pictures, are downloaded via an HTTP connection. Apart from this, every communication is TLS1.2-encrypted and thus protected against simple man-in-the-middle attacks.

TLS1.2-encrypted communication

App

According to static analysis, the Garmin Connect App does not have any obvious weak points, furthermore all data of the app is saved in the protected app area. The app is also well obfuscated, making it difficult for attackers to reverse-engineer its functionality. By implementing certificate pinning, the app would also be protected against attacks that would require the attacker to install a CA certificate on the owner’s device. This is necessary, for example, for reading and manipulating encrypted communication in a man-in-the-middle attack. Apps usually only validate the validity of the certificate. With certificate pinning, however, it is also checked whether the known public key matches that of the certificate. If this is not the case, communication is terminated – regardless of whether the certificate is trusted in the first instance.

Privacy

The Garmin Connect Privacy Policy describes in detail what information is collected and for what purpose it is used. Data will not be shared with third parties without explicit permission, for example by clicking “Share” or by including third-party apps in the Garmin Connect program. Various analysis services (Google Analytics, Azure Application Insights, HockeyApp, Crashlytics) are integrated into the Garmin Connect App.

Users resident in the European Union are entitled to access their stored data in accordance with the General Data Protection Regulation (GDPR), which can be done in the Account Management Center.

Conclusion

Garmin vívofit 3 and its app are well protected in both its Bluetooth and cloud connectivity. In terms of app, there is room for improvement, but this did not have a negative effect on the rating. We can also make a clear recommendation with regard to privacy.