Security researcher raises questions about trackers in LastPass Android app
A security researcher has detailed seven trackers inside popular password manager LastPass, that the company itself or other advertisers can utilize to create targeted ads for users of the app.
German security researcher Mike Kuketz has uncovered seven trackers within the LastPass Android app, a password manager that has over 10 million installations in the Google Play Store alone.
The trackers involved were:
Kuketz points out that immediately after launching LastPass on Android, six of the seven tracking apps activate before the user even interacts with the app. He also points out that at no point is the user asked whether or not they agree to have their data transmitted to the third-party providers.
During his test, Kuketz uncovered that the app tracks what device the user is using, whether the app is being used for free or under a subscription, and if the user prefers to utilize a biometric lock.
LastPass' Android version also continues to track users while they use the app. While the trackers may not receive sensitive content, such as the passwords themselves, they track nearly everything else.
Data tracked includes when a password has been created, what kind of account the user is creating, such as a social media profile versus a bank or credit card account, a user's IP address, a user's current location, and more. There is no way to object to this tracking or opt-out of it, either -- a user would need to uninstall to prevent further tracking.
In a follow-up post, Kuketz shared a reader's interaction with LastPass support, who vehemently denied -- twice -- that the app had any trackers at all.
While no trackers have been confirmed to exist in the iOS or macOS versions of LastPass, a quick glance at the iOS beta's "nutrition label" hints that it's not out of the realm of possibility, either.
Specifically, the LastPass iOS app tracks users location, usage data, contact info, and some user content, which all could be collated and sold to advertisers who then could use the information to target users with ads.
The Register points out that LastPass isn't the only password manager that has trackers, either. Bitwarden and Dashlane both contain trackers, two and four, respectively. However, LastPass rival 1Password and open-source KeePass do not feature trackers at all.
A LastPass spokesperson acknowledged to The Register that while the trackers exist, no personally identifiable user data or password activity is passed through the trackers. They claimed that the trackers only collect limited aggregated statistical data that is used to improve the product.
The information comes at a particularly unfortunate time, as LastPass recently introduced limits on free-tier accounts, restricting them to either computers or mobile devices. Additionally, email support is ending for free service members after March 17. Many users have threatened to leave the service after the change.
German security researcher Mike Kuketz has uncovered seven trackers within the LastPass Android app, a password manager that has over 10 million installations in the Google Play Store alone.
The trackers involved were:
- AppsFlyer
- Google Analytics
- Google CrashLytics
- Google Firebase Analytics
- Google Tag Manager
- MixPixel
- Segment
Kuketz points out that immediately after launching LastPass on Android, six of the seven tracking apps activate before the user even interacts with the app. He also points out that at no point is the user asked whether or not they agree to have their data transmitted to the third-party providers.
During his test, Kuketz uncovered that the app tracks what device the user is using, whether the app is being used for free or under a subscription, and if the user prefers to utilize a biometric lock.
LastPass' Android version also continues to track users while they use the app. While the trackers may not receive sensitive content, such as the passwords themselves, they track nearly everything else.
Data tracked includes when a password has been created, what kind of account the user is creating, such as a social media profile versus a bank or credit card account, a user's IP address, a user's current location, and more. There is no way to object to this tracking or opt-out of it, either -- a user would need to uninstall to prevent further tracking.
In a follow-up post, Kuketz shared a reader's interaction with LastPass support, who vehemently denied -- twice -- that the app had any trackers at all.
While no trackers have been confirmed to exist in the iOS or macOS versions of LastPass, a quick glance at the iOS beta's "nutrition label" hints that it's not out of the realm of possibility, either.
Specifically, the LastPass iOS app tracks users location, usage data, contact info, and some user content, which all could be collated and sold to advertisers who then could use the information to target users with ads.
The Register points out that LastPass isn't the only password manager that has trackers, either. Bitwarden and Dashlane both contain trackers, two and four, respectively. However, LastPass rival 1Password and open-source KeePass do not feature trackers at all.
A LastPass spokesperson acknowledged to The Register that while the trackers exist, no personally identifiable user data or password activity is passed through the trackers. They claimed that the trackers only collect limited aggregated statistical data that is used to improve the product.
The information comes at a particularly unfortunate time, as LastPass recently introduced limits on free-tier accounts, restricting them to either computers or mobile devices. Additionally, email support is ending for free service members after March 17. Many users have threatened to leave the service after the change.
Comments
1. The App Privacy panel actually says "Identifiers". If that doesn't mean "personally identifiable user data", then what does?
2. The App Privacy panel includes "Location" which is extremely specific and is nearly the same thing as "personal identifiable user data" especially when it can be cross referenced with other data, which is probably an easy thing for companies like Facebook to do.
Why did the article not include "user content" when it listed "users location, usage data, contact info, and some user content"? And why did it insert the word "some" before "user content" when that word isn't in the App Privacy label?
I wish Apple had broken down some of its data categories. For example, the Location category as it stands could mean your location down to the last two feet, while I might be willing to buy some apps if the only location data they obtained from me was my "country".
Google Crashlytics is not really a tracker. It helps developers get understandable crash dumps. That is all it does.
I used to use keychain, then Apple broke/removed the functionality several years ago when they went through their messy & botched transition from MobileMe to iCloud. At that point I started using 1Password. 1Password has more and better functionality than keychain does. It stores more kinds of data, organizes it better, makes it more accessible. It works in multiple browsers, and quite honestly, looking up passwords in keychain is a pain the ass- multiple windows pop up, you have to entire your password each time you retrieve a password, etc. Apple hasn't updated or improved the keychain app in years so it really is a poor substitute for the other password apps.
Tracking user data for a paid app is really inexcusable. I was considering switching from 1 password to dashlane or LastPass, but after reading this article I'm staying put.
But personally, I wouldn't use a work computer to access personal sites that require my passwords. It not only seems unethical to me, but some offices have significant abilities to read all their users' laptops contents and sessions.
I don't worry one whit about Google stealing one of my passwords and logging into one of my accounts pretending to be "me". That would be a patently-absurd concern, and as far as security against personal credentials being stolen I believe Google servers are as secure as anyone's, and more so than most.
For that reason 3rd party password managers aren't interesting to me.
I have 1Password - it works on all common browsers and all common OS's. In iOS you can use it for application passwords outside of a the browser, too. Far more useful than keychain or some google extension.
When you say "lots" of users use both Windows and iPhones, I agree in terms of absolute numbers but not in terms of percentage of users, and Apple has no ability, let alone obligation, to support non-Apple users. Because non-Apple users don't have Secure Enclaves.