A heatmap from Strava of Diego Garcia, the atoll in the Indian Ocean that houses a US military facility.
PHOTO: Strava
A heatmap from Strava of Diego Garcia, the atoll in the Indian Ocean that houses a US military facility.
Now playing
02:11
Fitness app reveals troops info
President Donald Trump signs the John McCain National Defense Authorization Act for the Fiscal Year 2019, during a signing ceremony Monday, Aug. 13, 2018, in Fort Drum, N.Y. (AP/Hans Pennink)
PHOTO: Hans Pennink/AP
President Donald Trump signs the John McCain National Defense Authorization Act for the Fiscal Year 2019, during a signing ceremony Monday, Aug. 13, 2018, in Fort Drum, N.Y. (AP/Hans Pennink)
Now playing
01:28
Trump: Rebuilding military like never before
space wars air force defensive duty officer origwx jm_00012128.jpg
space wars air force defensive duty officer origwx jm_00012128.jpg
Now playing
02:05
Meet the US military's sentry for space
The A-10s Last Dance_00024708.jpg
The A-10s Last Dance_00024708.jpg
Now playing
03:02
Is the A-10 headed for the graveyard?
gurading tomb of unknown soldier orig _00005113.jpg
gurading tomb of unknown soldier orig _00005113.jpg
Now playing
01:15
Guarding the Tomb of the Unknown Soldier
Activists, including some who are covered in mock shrounds, take part in a demonstration to protest against the US military presence in Okinawa, Japan, outside of Union Station in Washington, DC on May 26, 2016.
PHOTO: AFP/AFP/Getty Images
Activists, including some who are covered in mock shrounds, take part in a demonstration to protest against the US military presence in Okinawa, Japan, outside of Union Station in Washington, DC on May 26, 2016.
Now playing
02:24
New strains on U.S. bases in Japan
Now playing
01:30
Rescue mission underway for US service members
NEWPORT NEWS, VA - APRIL 8:  In this handout photo provided by the U.S. Navy, the future USS Gerald R. Ford (CVN 78) is seen underway on its own power for the first time on April 8, 2017 in Newport News, Virginia. The first-of-class ship -- the first new U.S. aircraft carrier design in 40 years -- will spend several days conducting builder's sea trials, a comprehensive test of many of the ship's key systems and technologies. (Photo by Mass Communication Specialist 2nd Class Ridge Leoni/U.S. Navy via Getty Images)
PHOTO: US Navy/Getty Images
NEWPORT NEWS, VA - APRIL 8: In this handout photo provided by the U.S. Navy, the future USS Gerald R. Ford (CVN 78) is seen underway on its own power for the first time on April 8, 2017 in Newport News, Virginia. The first-of-class ship -- the first new U.S. aircraft carrier design in 40 years -- will spend several days conducting builder's sea trials, a comprehensive test of many of the ship's key systems and technologies. (Photo by Mass Communication Specialist 2nd Class Ridge Leoni/U.S. Navy via Getty Images)
Now playing
00:44
Navy ship makes historic launch, landing
THAAD test Alaska US military orig vstop dlewis_00000000.jpg
THAAD test Alaska US military orig vstop dlewis_00000000.jpg
Now playing
00:51
See THAAD missile hit mid-air target
PHOTO: PBS
Now playing
01:02
Camera explores inside sunken USS Arizona (2016)
raytheon excalibur n5 projectile orig vstan bb_00000121.jpg
raytheon excalibur n5 projectile orig vstan bb_00000121.jpg
Now playing
00:46
Navy's new 'Excalibur' weapon tested
PHOTO: Lockheed Martin
Now playing
00:58
US Navy commissions newest littoral combat ship
PHOTO: Department of Defense
Now playing
01:19
Navy's newest ship USS Zumwalt commissioned
PHOTO: Lockheed Martin
Now playing
01:18
US Navy launches new warship
160613-N-DN943-001
ATLANTIC OCEAN (June 10, 2016) The littoral combat ship USS Jackson (LCS 6) successfully completes the first of three scheduled full-ship shock trials June 10, 2016. The shock trials are designed to demonstrate the ship's ability to withstand the effects of nearby underwater explosion and retain required capability. Jackson is currently ported at Naval Station Mayport, Fla., for required inspections and preparation for the second full-ship shock trial scheduled for later this month. (U.S. Navy photo by Mass Communication Specialist 2nd Class Michael Bevan/Released)
PHOTO: MC2 Michael Bevan/Navy Media Content Service (NMCS)/U.S. Navy
160613-N-DN943-001 ATLANTIC OCEAN (June 10, 2016) The littoral combat ship USS Jackson (LCS 6) successfully completes the first of three scheduled full-ship shock trials June 10, 2016. The shock trials are designed to demonstrate the ship's ability to withstand the effects of nearby underwater explosion and retain required capability. Jackson is currently ported at Naval Station Mayport, Fla., for required inspections and preparation for the second full-ship shock trial scheduled for later this month. (U.S. Navy photo by Mass Communication Specialist 2nd Class Michael Bevan/Released)
Now playing
00:51
Navy warship tested against 10,000-pound explosive
160421-N-YE579-005
ATLANTIC OCEAN (April 21, 2016) The future guided-missile destroyer USS Zumwalt (DDG 1000) transits the Atlantic Ocean during acceptance trials April 21, 2016 with the Navy's Board of Inspection and Survey (INSURV). The U.S. Navy accepted delivery of DDG 1000, the future guided-missile destroyer USS Zumwalt (DDG 1000) May 20, 2016. Following a crew certification period and October commissioning ceremony in Baltimore, Zumwalt will transit to its homeport in San Diego for a Post Delivery Availability and Mission Systems Activation. DDG 1000 is the lead ship of the Zumwalt-class destroyers, next-generation, multi-mission surface combatants, tailored for land attack and littoral dominance. (U.S. Navy/Released)
PHOTO: Digital/Navy Media Content Services
160421-N-YE579-005 ATLANTIC OCEAN (April 21, 2016) The future guided-missile destroyer USS Zumwalt (DDG 1000) transits the Atlantic Ocean during acceptance trials April 21, 2016 with the Navy's Board of Inspection and Survey (INSURV). The U.S. Navy accepted delivery of DDG 1000, the future guided-missile destroyer USS Zumwalt (DDG 1000) May 20, 2016. Following a crew certification period and October commissioning ceremony in Baltimore, Zumwalt will transit to its homeport in San Diego for a Post Delivery Availability and Mission Systems Activation. DDG 1000 is the lead ship of the Zumwalt-class destroyers, next-generation, multi-mission surface combatants, tailored for land attack and littoral dominance. (U.S. Navy/Released)
Now playing
01:05
Navy's $3B stealth warship sets sail
(CNN) —  

The US Central Command says it’s in the process of refining its privacy policies after it was reported that a fitness tracking app that maps people’s exercise habits could pose security risks for security forces around the world.

Strava, which bills itself as “the social network for athletes” and allows its users to share their running routes, released a newly updated global heatmap last November. But experts and keen observers have recently realized its potential to reveal location patterns of security forces working out at military bases in remote locations.

Defense Secretary James Mattis has been made aware of the issue and the DoD is reviewing policy regarding smartphones and wearable devices, Pentagon spokesman Col. Rob Manning said on Monday.

“We take these matters seriously and we are reviewing the situation to determine if any additional training or guidance is required, and if any additional policy must be developed to ensure the continued safety of DoD personnel at home and abroad,” Manning said.

He added that Mattis “has been very clear about not highlighting our capabilities to aid the enemy or give the enemy any advantage, so that would be our approach going in on this one as well.”

Nathan Ruser, a 20-year-old Australian student and analyst for the Institute for United Conflict Analysts, noted on Twitter on Saturday that the map made US bases “clearly identifiable and mappable.”

“If soldiers use the app like normal people do, by turning it on tracking when they go to do exercise, it could be especially dangerous. This particular track looks like it logs a regular jogging route. I shouldn’t be able to establish any Pattern of life info from this far away,” Ruser tweeted.

In a statement to CNN, a spokesperson for US Central Command said it is constantly working to “refine policies and procedures to address such challenges.”

“The coalition is in the process of implementing refined guidance on privacy settings for wireless technologies and applications, and such technologies are forbidden at certain coalition sites and during certain activities. We will not divulge specific tactics, techniques and procedures,” the statement continued.

In addition, the statement said that Central Command maintains “confidence in our commanders’ abilities to enforce established policies that enhance force protection and operational security with the least impact to our personnel.”

The Army previously issued fitness trackers to officers, though it’s unclear how many of these devices were synced to Strava’s software.

In 2013, the Army issued Fitbit Flex wristbands to some 2,200 soldiers as part of its “Performance Triad” program, Military.com reported. In 2015, the program expanded: 20,000 soldiers and reservists across American bases within the continental US were tagged to participate, according to the Army Times.

In a post about the update in November, Strava said the update would include “six times more data than before – in total one billion activities from all Strava data through September 2017.” Strava boasts “tens of millions” of users, and according to the company, marked three trillion latitude/longitude points on the updated map. It tracks location data using GPS from Fitbits, cellphones, and other fitness tracking devices.

In response to inquiries about the Strava data, Pentagon spokeswoman Maj. Audricia Harris said “DoD takes matters like these very seriously and is reviewing the situation to determine if any additional training or guidance is required, and if any additional policy must be developed to ensure the continued safety of DoD personnel at home and abroad.”

10,000 ‘screw-ups’

Scott Lafoy, an open-source imagery analyst, told CNN it’s too early to truly assess how useful the data is.

“In terms of strategic stuff, we know all the bases there, we know a lot of the positions, this will just be some nice ancillary data,” said Lafoy.

From the site, it’s possible to identify individuals’ running routes, and around military bases users had posted profile photos of themselves wearing military uniforms.

Tracking the timing of movements on bases could provide valuable information on patrol routes or where specific personnel are deployed, Lafoy said.

It could also pose a danger for government officials posted in dangerous locations, like diplomats, who may not be in as secure locations as military personnel.

A Strava heatmap showing the Falkland Islands and RAF Mount Pleasant.
PHOTO: Strava
A Strava heatmap showing the Falkland Islands and RAF Mount Pleasant.

“If the data is not actually anonymous, then you can start figuring out timetables and like some very tactical information, and then you start getting into some pretty serious issues,” LaFoy said.

Strava said in a statement to CNN that the company is “committed to working with military and government officials to address sensitive areas that might appear.”

“Our global heatmap represents an aggregated and anonymized view of over a billion activities uploaded to our platform. It excludes activities that have been marked as private and user-defined privacy zones. We are committed to helping people better understand our settings to give them control over what they share,” the statement said.

A Strava heatmap of Baidoa Airport in Somalia.
PHOTO: Strava
A Strava heatmap of Baidoa Airport in Somalia.

Regardless of the data’s usability, the fact that it’s out there shows a lapse in protocol, one that likely has the potential to cost information and operation security personnel their jobs, Lafoy said.

“This is literally what 10,000 innocent individual screw-ups look like,” he said. “A lot if it is going to be a good reminder to security services why you do opsec (operational security) and why you do manage this sort of thing, and everyone is going to really hope it doesn’t get a couple people killed in the meantime.”

Limiting public profiles

When zoomed out, the heatmap shows more populated and developed parts of the world nearly completely lit up. Remote areas and conflict zones are darker, but eagle-eyed observers have noticed small lights in some of the areas, potentially identifying military personnel.

Twitter users have identified locations including a suspected CIA base in Somalia, a Patriot missile defense system site in Yemen and US special operations bases in the Sahel region of Africa. CNN cannot independently verify these claims. Known military sites like Diego Garcia in the Indian Ocean and the Falkland Islands’ RAF Mount Pleasant also show activity.

The Strava heatmap showing the Mogadishu airport.
PHOTO: Strava
The Strava heatmap showing the Mogadishu airport.

Multiple airports in Somalia show circles around airfields in the city. “Heavy jogging” at the airport in the capital of Mogadishu was spotted earlier by The Daily Beast’s Adam Rawnsley.

The US Department of Defense said in response to the Strava data that “annual training for all DoD personnel recommends limiting public profiles on the internet, including personal social media accounts.”

“Furthermore, operational security requirements provide further guidance for military personnel supporting operations around the world. Recent data releases emphasize the need for situational awareness when members of the military share personal information,” said Pentagon spokeswoman Harris.

CORRECTION: This story has been updated to correct the location of Diego Garcia.

Joshua Berlinger reported and wrote from Hong Kong, while Maegan Vazquez reported and wrote from Washington. CNN’s Ryan Browne, Kevin Bohn, Jason Hoffman and Barbara Starr contributed to this report.