u/ninjahedgehog6

i literally just realized im supposed to be hitting like 8k steps a day for this fitness challenge my sorority is doing and i have NO idea how to track steps on iphone properly 
i have an iphone 14, no apple watch (cant afford it lol rip), and i thought the health app just did it automatically??? but when i opened it today it said i did like 400 steps yesterday which is DEFINITELY not true because i walked across campus like 5 times
tried downloading 3 different step counter apps and they all want me to pay for premium after a week and one of them already started spamming my notifications with weird motivational quotes at 6am
my friend said i need to keep my phone in my pocket for it to count but like... i carry my phone in my hand or in my bag most of the time??? is that why its not working???
whats the easiest way to track steps on iphone without paying for some random app or carrying my phone in a weird way all day??? also is the apple health app even accurate or am i wasting my time lol

I work in compliance at a mid sized tech company in the US, and I've been dealing with an issue that's honestly making me question my entire career right now...
Our security team recently hired an external firm to do "red teaming" exercises on our infrastructure. Fine. I understand the concept, simulated attacks to find vulnerabilities before the bad guys do. Makes sense on paper.
The red teaming consultants were given access to our building (physical badges, network credentials, the works). Over three weeks, they tailgated employees into secure areas, plugged USB devices into workstations in the break room,set up fake phishing campaigns that collected actual employee passwords, accessed customer data directories to "prove" they could exfiltrate information, photographed confidential documents left on desks
Their final report proudly listed all of this as successful compromises. Management loved it. Security got a bigger budget. Everyone celebrated.
But several of those activities directly violated our own privacy policy that we make customers agree to. The one that says "we will never access your data without explicit consent" and "employee access is logged and audited."
When I brought this up in the meeting (calmly, professionally, with documentation), I was told "it's different because it's authorized red teaming." But authorized by WHO? Our customers didn't consent. Half our employees didn't even know this was happening. And the access logs just say "security assessment”, which tells nobody anything.
I've read through at least a dozen articles on red teaming best practices, and they all say things like "ensure proper authorization" and "stay within legal boundaries," but nobody defines what that actually means when your own privacy policy says one thing and your security team does another.
Also, if I had accessed customer data the exact same way without the "red teaming" label, I'd be fired and possibly prosecuted. But because someone called it a security test, it's fine? How is that NOT a double standard?
I asked our legal team to clarify, and they said the red teaming scope was approved at the executive level (which I never saw in writing) and it falls under legitimate business purposes. That feels like corporate speak for we did what we wanted and we're making the rules fit afterward.
Does anyone else work somewhere that does red teaming exercises, and if so... how do you reconcile that with actual privacy commitments? Am I being too rigid about this, or is this genuinely a problem that companies just ignore because "security"?