The Australian military may have to ban fitness watches during deployments because their apps reveal the locations and movements of defence personnel who use them.
Strava, a social network for runners and cyclists to track their workouts via satellite navigation, released a heat map last year showing the activity of its users worldwide.
The data can be cross-referenced with Google Maps and has shown jogging routes of soldiers at US military bases in the Middle East and Afghanistan.
A 20-year-old Australian National University security studies student Nathan Ruser uncovered the potential breach for military bases.
"It looks very pretty, but not amazing for Op-Sec (operational security). US bases are clearly identifiable and mappable," he said on Twitter.
Australia Defence Association spokesman Neil James said it was getting more difficult to protect operational security because more and more products were connected to the internet.
"In World War II, all you had to do was censor peoples' letters so they didn't inadvertently tell someone at home something they shouldn't," he told AAP.
Mr James said any devices which record or transmit should be left at home on deployments.
He said there would be some Australian soldiers using the app while training in Australia, but he doubted anyone deployed overseas would be using it.
Danielle Cave from the Australian Strategic Policy Institute pointed out ASIO spies had been caught up in the Strava data dump.
"Data shows either phones/fitbits appear to enter secure buildings. It's faint, but (there's) plenty of Strava data crisscrossing ASIO," she said on Twitter.
An ASIO spokeswoman said the organisation would not comment on security advice provided to staff.
Comment was being sought from Defence.