Password manager LastPass includes seven trackers in the Android app, including four from Google and three from marketing agencies, which may collect data about users. It is not clear exactly what data is collected and shared with third parties.
The trackers were spotted by German security researcher Mike Kuketz in an analysis of non-profit hacktivist organization Exodus. According to the Exodus report , these are trackers from Google Analytics, Google CrashLytics, Google Firebase Analytics and Google Tag Manager and trackers from marketing services MixPanel, AppFlyers and Segment. “For an app that processes such extremely sensitive data, namely passwords, this is a weakness,” Kuketz said in a blog post . The trackers are included in the Android version of LastPass, version 188.8.131.5250.
Kuketz also calls the trackers a security risk, because according to him, third-party code does not belong in apps where sensitive data such as passwords are processed. “What data these modules collect and send to external providers is sometimes not even known to the app developers themselves, who integrate these modules into their apps.” With Exodus, the security researcher can say that the tracker code is present in the LastPass Android app, but he cannot say for sure whether the trackers are active. Before that, he looked at the network traffic of the app.
According to him, the app contacts almost any tracking provider every time it starts up, and at least shares information about the mobile device and version of Android, the telecom provider, whether the user is using WiFi or 4G, what type of LastPass account someone has. and the Google Advertising ID. The output data also shows during use when new passwords are created and what kind of passwords these are. Kuketz says it is unlikely that passwords or usernames will be sent.
What are the trackers used for?
The trackers from Google Analytics and Firebase Analytics are normally used for analytics about the use of the app, CrashLytics monitors crashes and Google Tag Manager is intended to tag usage data for easier analysis. The three other third-party trackers are more ad-focused, even though the free version of LastPass only has Premium ads in the app.
AppsFlyer is an analytics tool used by advertisers to see where users see ads and where they click on ads on mobile, Segment is an advertising platform designed to make it easier to collect and send usage data when an advertiser sends data to multiple databases or different use marketing tools. MixPanel is used for tracking user interactions in apps and includes an A / B testing tool.
Most trackers of all password managers
According to The Register, LastPass has built in most of the ad trackers of any password manager out there. 1Password and KeePass don’t use trackers, Bitwarden has Google Firebase Analytics and Microsoft Visual Crash Reporting built in. Dashlane has four trackers built in. In a response to The Register, LastPass says that no sensitive and personal data or vault activity is shared through these trackers. They are only used to collect aggregated statistical data about how LastPass is used so that they can improve the product.
Users can turn off data sharing. To do this, they should go to Account Settings, click Show Advanced Settings, and then click the Privacy tab to disable anonymous information about error messages from being shared for LastPass improvement. This is not possible in the Android app, users must open the safe in the desktop browser.
Recently, there was still a lot to do with LastPass as the company is going to limit the use of the free password manager to one device . Users of the free version of LastPass must determine which device they want to continue using LastPass by March 16. Why LastPass chooses that policy remains unclear, although the company says it wants to focus on Premium.