Security News > 2020 > October > Fitbit gallery can be used to distribute malicious apps
A security researcher discovered that malicious apps for Fitbit devices can be uploaded to the legitimate Fitbit domain and users can install them from private links.
Various mobile apps from Fitbit and its developer community are published in the official Fitbit Gallery.
Kevin Breen, threat research director at Immersive Labs, was able to upload to the Fitbit Gallery a malicious app he created specifically to test if it would bypass the app store's defenses.
Users will get a warning when installing an app from a private link; if it is already installed, it will be identified in the list of Fitbit apps present on the phone as not being in the public Fitbit Gallery.
The company highlights that privately shared apps are typically for developer testing and do not appear in searches on the public Fitbit App Gallery.