German cybersecurity expert Mike Kuketz noticed that there are seven trackers in the LastPass app for Android that monitor users.
The researcher builds his findings on the report of the non-profit organization Exodus , which is described as an initiative “led by hacktivists, the goal of which is to help people understand the problems of tracking in Android applications.”
Seven trackers were found in the password manager, including four from Google that collect data for analytics and crash reporting, as well as AppsFlyer, MixPanel and Segment. For example, the latter collects information for marketing teams, and its developers write that the tool offers to create a “single view of the customer” by profiling users and linking together their actions on different platforms (presumably to personalize ads).
Kuketz believes that in this way the developers of LastPass seek to monetize the huge number of free users of their application. At the same time, the researcher warns that often application developers do not know at all what data trackers collect and what they transfer to third parties. As a result, integrating someone else’s proprietary code into an application can be dangerous and can lead to data leakage. According to the expert, there is no place for such trackers in a password manager, whose security is extremely important.
According to the expert, LastPass transmits to the side information about the device used, the carrier, the type of the LastPass account, the Google advertising ID (which can be used to link user data from different applications). In addition, trackers “know” when a user creates new passwords and what type they are.
As a result, Kuketz comes to the conclusion that instead of LastPass, it is better to use other password managers, for example, the open source KeePass. The fact is that, according to Exodus, there are no trackers at all in either the KeePass code or the 1Password code. In the open source Bitwarden code, you can find two “beacons”: analytic Google Firebase and Microsoft Visual Studio crash reporting, and four were found in the Dashlane code.
LastPass representatives have already assured the media that using the detected trackers it is impossible to transfer confidential user data, and their storage is also safe. It is emphasized that trackers only collect statistical information about the use of the application, which is used to improve and optimize the product. In addition, you can opt out of collecting analytics in the settings.