Security researcher raises questions about trackers in LastPass Android app

Posted:
in General Discussion edited February 26
A security researcher has detailed seven trackers inside popular password manager LastPass, that the company itself or other advertisers can utilize to create targeted ads for users of the app.

Security researcher finds trackers in LastPass Android app, raising questions about privacy and security


German security researcher Mike Kuketz has uncovered seven trackers within the LastPass Android app, a password manager that has over 10 million installations in the Google Play Store alone.

The trackers involved were:
  • AppsFlyer

  • Google Analytics

  • Google CrashLytics

  • Google Firebase Analytics

  • Google Tag Manager

  • MixPixel

  • Segment
Trackers have come to be expected in certain apps -- namely social media and online shopping outlets. The researchers note that something about including trackers in a password vault app seems insidious.

Kuketz points out that immediately after launching LastPass on Android, six of the seven tracking apps activate before the user even interacts with the app. He also points out that at no point is the user asked whether or not they agree to have their data transmitted to the third-party providers.

During his test, Kuketz uncovered that the app tracks what device the user is using, whether the app is being used for free or under a subscription, and if the user prefers to utilize a biometric lock.

LastPass' Android version also continues to track users while they use the app. While the trackers may not receive sensitive content, such as the passwords themselves, they track nearly everything else.

Data tracked includes when a password has been created, what kind of account the user is creating, such as a social media profile versus a bank or credit card account, a user's IP address, a user's current location, and more. There is no way to object to this tracking or opt-out of it, either -- a user would need to uninstall to prevent further tracking.

In a follow-up post, Kuketz shared a reader's interaction with LastPass support, who vehemently denied -- twice -- that the app had any trackers at all.

While no trackers have been confirmed to exist in the iOS or macOS versions of LastPass, a quick glance at the iOS beta's "nutrition label" hints that it's not out of the realm of possibility, either.

nutritionlabel


Specifically, the LastPass iOS app tracks users location, usage data, contact info, and some user content, which all could be collated and sold to advertisers who then could use the information to target users with ads.

The Register points out that LastPass isn't the only password manager that has trackers, either. Bitwarden and Dashlane both contain trackers, two and four, respectively. However, LastPass rival 1Password and open-source KeePass do not feature trackers at all.

A LastPass spokesperson acknowledged to The Register that while the trackers exist, no personally identifiable user data or password activity is passed through the trackers. They claimed that the trackers only collect limited aggregated statistical data that is used to improve the product.

The information comes at a particularly unfortunate time, as LastPass recently introduced limits on free-tier accounts, restricting them to either computers or mobile devices. Additionally, email support is ending for free service members after March 17. Many users have threatened to leave the service after the change.
«1

Comments

  • Reply 1 of 22
    And my friend is so proud of the fact that he never has to remember a password on any of his devices, and continually mocks me because I don't use this "great" software.
    watto_cobra
  • Reply 2 of 22
    A security researcher has detailed seven trackers inside popular password manager LastPass, that the company itself or other advertisers can utilize to create targeted ads for users of the app.
    ...

    Specifically, the LastPass iOS app tracks users location, usage data, contact info, and some user content, which all could be collated and sold to advertisers who then could use the information to target users with ads.

    A LastPass spokesperson acknowledged to The Register that while the trackers exist, no personally identifiable user data or password activity is passed through the trackers.
    The article quotes LastPass as saying "no personally identifiable user data or password activity is passed through the trackers" yet I see a few reasons to disbelieve that:

    1. The App Privacy panel actually says "Identifiers". If that doesn't mean "personally identifiable user data", then what does?
    2. The App Privacy panel includes "Location" which is extremely specific and is nearly the same thing as "personal identifiable user data" especially when it can be cross referenced with other data, which is probably an easy thing for companies like Facebook to do.

    Why did the article not include "user content" when it listed "users location, usage data, contact info, and some user content"? And why did it insert the word "some" before "user content" when that word isn't in the App Privacy label?

    I wish Apple had broken down some of its data categories. For example, the Location category as it stands could mean your location down to the last two feet, while I might be willing to buy some apps if the only location data they obtained from me was my "country".
    edited February 26 olsjony0watto_cobra
  • Reply 3 of 22
    However, LastPass rival 1Password and open-source KeePass do not feature trackers at all.
    1Password has the exact same list of personal info collected as does LastPass, per the privacy nutrition label.  So I guess they are tracking their users product without using trackers.  Okay then, that makes it better. 
    watto_cobra
  • Reply 4 of 22
    Wow. I like 1Password but I don’t use it much anymore. Time to use only Keychain. 
    watto_cobra
  • Reply 5 of 22
    On iOS, I don't see why people feel the need to use password managers at all since iOS directly supports automatic password storage.
    https://developer.apple.com/documentation/security/password_autofill/ <--
    Password AutoFill simplifies login and account creation tasks for iOS apps and webpages. With just a few taps, your users can create and save new passwords or log in to an existing account. Users don’t even need to know their password; the system handles everything.


    edited February 27 olswatto_cobra
  • Reply 6 of 22
    gatorguygatorguy Posts: 22,805member
    On iOS, I don't see why people feel the need to use password managers at all since iOS directly supports automatic password storage.
    https://developer.apple.com/documentation/security/password_autofill/ <--
    Password AutoFill simplifies login and account creation tasks for iOS apps and webpages. With just a few taps, your users can create and save new passwords or log in to an existing account. Users don’t even need to know their password; the system handles everything.


    Exactly the same on Android since 2017, so you could ask the same question there too. 
    edited February 27
  • Reply 7 of 22
    pujones1 said:
    Wow. I like 1Password but I don’t use it much anymore. Time to use only Keychain. 
    The article is about LastPass . There is zero evidence, in fact less than zero as they state it does not, that 1Password uses trackers.
    MplsPwatto_cobra
  • Reply 8 of 22
    jony0jony0 Posts: 341member
    Why does Google have or need 4 different trackers ?!?
    watto_cobra
  • Reply 9 of 22
    chadbagchadbag Posts: 1,285member
    Not to defend tracking but

    Google Crashlytics is not really a tracker.  It helps developers get understandable crash dumps. That is all it does. 

    I think Google Analytics and Google Firebase Analytics are the same. IIRC everything got moved to the firebase label.  I could be wrong.  The app my company makes does not track any identifiable data and just tracks randomized usage info (what menus or tabs or whatever the user hits so we know what the app coverage is) as well as some performance metrics. We use the Google firebase analytics / Google Analytics stuff and Google Crashlytics. 
    muthuk_vanalingamgatorguy
  • Reply 10 of 22
    On iOS, I don't see why people feel the need to use password managers at all since iOS directly supports automatic password storage.
    https://developer.apple.com/documentation/security/password_autofill/ <--
    Password AutoFill simplifies login and account creation tasks for iOS apps and webpages. With just a few taps, your users can create and save new passwords or log in to an existing account. Users don’t even need to know their password; the system handles everything.

    I store much more than just passwords in 1Password. Keychain is very limited in that regards. But it does work well if you only want to store login info.

    MplsPwatto_cobra
  • Reply 11 of 22
    On iOS, I don't see why people feel the need to use password managers at all since iOS directly supports automatic password storage.
    Not all my device uses are on iOS.  My home desktop is a Windows based computer using Firefox.  And my work laptop is a windows based laptop using Chrome.  Safari is no longer supported for Windows machines.  Losing the ability to store and use my passwords across all the devices I use would be a real pain and defeat the purpose of using Last Pass.  
  • Reply 12 of 22
    MplsPMplsP Posts: 2,883member
    bonobob said:
    However, LastPass rival 1Password and open-source KeePass do not feature trackers at all.
    1Password has the exact same list of personal info collected as does LastPass, per the privacy nutrition label.  So I guess they are tracking their users product without using trackers.  Okay then, that makes it better. 
    the very nature of these programs means they collect personal data, so the 'nutrition label' isn't terribly helpful in this case.
    pujones1 said:
    Wow. I like 1Password but I don’t use it much anymore. Time to use only Keychain. 
    On iOS, I don't see why people feel the need to use password managers at all since iOS directly supports automatic password storage.
    https://developer.apple.com/documentation/security/password_autofill/ <--
    Password AutoFill simplifies login and account creation tasks for iOS apps and webpages. With just a few taps, your users can create and save new passwords or log in to an existing account. Users don’t even need to know their password; the system handles everything.
    I used to use keychain, then Apple broke/removed the functionality several years ago when they went through their messy & botched transition from MobileMe to iCloud. At that point I started using 1Password. 1Password has more and better functionality than keychain does. It stores more kinds of data, organizes it better, makes it more accessible. It works in multiple browsers, and quite honestly, looking up passwords in keychain is a pain the ass- multiple windows pop up, you have to entire your password each time you retrieve a password, etc. Apple hasn't updated or improved the keychain app in years so it really is a poor substitute for the other password apps.

    Tracking user data for a paid app is really inexcusable. I was considering switching from 1 password to dashlane or LastPass, but after reading this article I'm staying put.


    edited February 28
  • Reply 13 of 22
    MplsPMplsP Posts: 2,883member
    gatorguy said:
    On iOS, I don't see why people feel the need to use password managers at all since iOS directly supports automatic password storage.
    https://developer.apple.com/documentation/security/password_autofill/ <--
    Password AutoFill simplifies login and account creation tasks for iOS apps and webpages. With just a few taps, your users can create and save new passwords or log in to an existing account. Users don’t even need to know their password; the system handles everything.


    Exactly the same on Android since 2017, so you could ask the same question there too. 
    Well, for starters password managers provide better cross-platform functionality. 
  • Reply 14 of 22
    22july201322july2013 Posts: 2,001member
    rattlhed said:
    On iOS, I don't see why people feel the need to use password managers at all since iOS directly supports automatic password storage.
    Not all my device uses are on iOS.  My home desktop is a Windows based computer using Firefox.  And my work laptop is a windows based laptop using Chrome.  Safari is no longer supported for Windows machines.  Losing the ability to store and use my passwords across all the devices I use would be a real pain and defeat the purpose of using Last Pass.  
    Okay, fair point. I suspect that most users do not use multiple platforms. I'm not really sure what the percentage would be, though.

    But personally, I wouldn't use a work computer to access personal sites that require my passwords. It not only seems unethical to me, but some offices have significant abilities to read all their users' laptops contents and sessions.
    watto_cobra
  • Reply 15 of 22
    MplsPMplsP Posts: 2,883member
    rattlhed said:
    On iOS, I don't see why people feel the need to use password managers at all since iOS directly supports automatic password storage.
    Not all my device uses are on iOS.  My home desktop is a Windows based computer using Firefox.  And my work laptop is a windows based laptop using Chrome.  Safari is no longer supported for Windows machines.  Losing the ability to store and use my passwords across all the devices I use would be a real pain and defeat the purpose of using Last Pass.  
    Okay, fair point. I suspect that most users do not use multiple platforms. I'm not really sure what the percentage would be, though.

    But personally, I wouldn't use a work computer to access personal sites that require my passwords. It not only seems unethical to me, but some offices have significant abilities to read all their users' laptops contents and sessions.
    I suspect there are a lot of users that have iPhones and windows desktops/laptops. Also, as rarrlhed pointed out, keychain only works with Safari, so if you use another browser you’re either stuck with an incredibly cumbersome workflow or you switch to a 3rd party password manager. 
    beowulfschmidt
  • Reply 16 of 22
    gatorguygatorguy Posts: 22,805member
    MplsP said:
    rattlhed said:
    On iOS, I don't see why people feel the need to use password managers at all since iOS directly supports automatic password storage.
    Not all my device uses are on iOS.  My home desktop is a Windows based computer using Firefox.  And my work laptop is a windows based laptop using Chrome.  Safari is no longer supported for Windows machines.  Losing the ability to store and use my passwords across all the devices I use would be a real pain and defeat the purpose of using Last Pass.  
    Okay, fair point. I suspect that most users do not use multiple platforms. I'm not really sure what the percentage would be, though.

    But personally, I wouldn't use a work computer to access personal sites that require my passwords. It not only seems unethical to me, but some offices have significant abilities to read all their users' laptops contents and sessions.
    I suspect there are a lot of users that have iPhones and windows desktops/laptops. Also, as rarrlhed pointed out, keychain only works with Safari, so if you use another browser you’re either stuck with an incredibly cumbersome workflow or you switch to a 3rd party password manager. 
    In my view that's a primary selling point for Chrome and by extension its password manager: Cross-platform. 

     I don't worry one whit about Google stealing one of my passwords and logging into one of my accounts pretending to be "me".  That would be a patently-absurd concern, and as far as security against personal credentials being stolen I believe Google servers are as secure as anyone's, and more so than most. 

    For that reason 3rd party password managers aren't interesting to me. 
  • Reply 17 of 22
    MplsPMplsP Posts: 2,883member
    gatorguy said:
    MplsP said:
    rattlhed said:
    On iOS, I don't see why people feel the need to use password managers at all since iOS directly supports automatic password storage.
    Not all my device uses are on iOS.  My home desktop is a Windows based computer using Firefox.  And my work laptop is a windows based laptop using Chrome.  Safari is no longer supported for Windows machines.  Losing the ability to store and use my passwords across all the devices I use would be a real pain and defeat the purpose of using Last Pass.  
    Okay, fair point. I suspect that most users do not use multiple platforms. I'm not really sure what the percentage would be, though.

    But personally, I wouldn't use a work computer to access personal sites that require my passwords. It not only seems unethical to me, but some offices have significant abilities to read all their users' laptops contents and sessions.
    I suspect there are a lot of users that have iPhones and windows desktops/laptops. Also, as rarrlhed pointed out, keychain only works with Safari, so if you use another browser you’re either stuck with an incredibly cumbersome workflow or you switch to a 3rd party password manager. 
    In my view that's a primary selling point for Chrome and by extension its password manager: Cross-platform. 

     I don't worry one whit about Google stealing one of my passwords and logging into one of my accounts pretending to be "me".  That would be a patently-absurd concern, and as far as security against personal credentials being stolen I believe Google servers are as secure as anyone's, and more so than most. 

    For that reason 3rd party password managers aren't interesting to me. 
    Not worried about google stealing my passwords, but I am worried about them spying on everything else I do. That and the fact that Chrome is a resource hog that slows down your system is enough to keep me away. 

    I have 1Password - it works on all common browsers and all common OS's. In iOS you can use it for application passwords outside of a the browser, too. Far more useful than keychain or some google extension.
  • Reply 18 of 22
    22july201322july2013 Posts: 2,001member
    MplsP said:
    rattlhed said:
    On iOS, I don't see why people feel the need to use password managers at all since iOS directly supports automatic password storage.
    Not all my device uses are on iOS.  My home desktop is a Windows based computer using Firefox.  And my work laptop is a windows based laptop using Chrome.  Safari is no longer supported for Windows machines.  Losing the ability to store and use my passwords across all the devices I use would be a real pain and defeat the purpose of using Last Pass.  
    Okay, fair point. I suspect that most users do not use multiple platforms. I'm not really sure what the percentage would be, though.

    But personally, I wouldn't use a work computer to access personal sites that require my passwords. It not only seems unethical to me, but some offices have significant abilities to read all their users' laptops contents and sessions.
    I suspect there are a lot of users that have iPhones and windows desktops/laptops. Also, as rarrlhed pointed out, keychain only works with Safari, so if you use another browser you’re either stuck with an incredibly cumbersome workflow or you switch to a 3rd party password manager. 
    I agree that if you use another browser than Safari then you're losing the benefits of Apple's Secure Enclave and therefore you've already lost good security so using a password manager isn't much worse.

    When you say "lots" of users use both Windows and iPhones, I agree in terms of absolute numbers but not in terms of percentage of users, and Apple has no ability, let alone obligation, to support non-Apple users. Because non-Apple users don't have Secure Enclaves.
    edited March 2
  • Reply 19 of 22
    gatorguygatorguy Posts: 22,805member
    MplsP said:
    rattlhed said:
    On iOS, I don't see why people feel the need to use password managers at all since iOS directly supports automatic password storage.
    Not all my device uses are on iOS.  My home desktop is a Windows based computer using Firefox.  And my work laptop is a windows based laptop using Chrome.  Safari is no longer supported for Windows machines.  Losing the ability to store and use my passwords across all the devices I use would be a real pain and defeat the purpose of using Last Pass.  
    Okay, fair point. I suspect that most users do not use multiple platforms. I'm not really sure what the percentage would be, though.

    But personally, I wouldn't use a work computer to access personal sites that require my passwords. It not only seems unethical to me, but some offices have significant abilities to read all their users' laptops contents and sessions.
    I suspect there are a lot of users that have iPhones and windows desktops/laptops. Also, as rarrlhed pointed out, keychain only works with Safari, so if you use another browser you’re either stuck with an incredibly cumbersome workflow or you switch to a 3rd party password manager. 
    I agree that if you use another browser than Safari then you're losing the benefits of Apple's Secure Enclave and therefore you've already lost good security so using a password manager isn't much worse.

    When you say "lots" of users use both Windows and iPhones, I agree in terms of absolute numbers but not in terms of percentage of users, and Apple has no ability, let alone obligation, to support non-Apple users. Because non-Apple users don't have Secure Enclaves.
    I agree with you on every point but the last one, even if what it's called is different depending on who implements it. 
    muthuk_vanalingam
  • Reply 20 of 22
    22july201322july2013 Posts: 2,001member
    gatorguy said:
    MplsP said:
    rattlhed said:
    On iOS, I don't see why people feel the need to use password managers at all since iOS directly supports automatic password storage.
    Not all my device uses are on iOS.  My home desktop is a Windows based computer using Firefox.  And my work laptop is a windows based laptop using Chrome.  Safari is no longer supported for Windows machines.  Losing the ability to store and use my passwords across all the devices I use would be a real pain and defeat the purpose of using Last Pass.  
    Okay, fair point. I suspect that most users do not use multiple platforms. I'm not really sure what the percentage would be, though.

    But personally, I wouldn't use a work computer to access personal sites that require my passwords. It not only seems unethical to me, but some offices have significant abilities to read all their users' laptops contents and sessions.
    I suspect there are a lot of users that have iPhones and windows desktops/laptops. Also, as rarrlhed pointed out, keychain only works with Safari, so if you use another browser you’re either stuck with an incredibly cumbersome workflow or you switch to a 3rd party password manager. 
    I agree that if you use another browser than Safari then you're losing the benefits of Apple's Secure Enclave and therefore you've already lost good security so using a password manager isn't much worse.

    When you say "lots" of users use both Windows and iPhones, I agree in terms of absolute numbers but not in terms of percentage of users, and Apple has no ability, let alone obligation, to support non-Apple users. Because non-Apple users don't have Secure Enclaves.
    I agree with you on every point but the last one, even if what it's called is different depending on who implements it. 
    I thought that the secure enclaves for other smart phone developers were written entirely with software rather than hardware (that used to be the case), which is why I made that claim in the last sentence. But then I remembered that recently other vendors have started using separate chips also, just like Apple's T2 chip. So I guess I have to concede that some smartphones are now building hardware enclaves also. https://www.howtogeek.com/387934/your-smartphone-has-a-special-security-chip.-heres-how-it-works/ I'm not sure if I trust these johnny-come-lately copycats yet, but eventually I will be persuaded that they are decent and they will have caught up to Apple in my eyes.
Sign In or Register to comment.