- A security researcher found that password management app LastPass is tracking Android users with seven distinct trackers, including a service that can help track people across the web.
- The researcher explained that including trackers in apps that protect sensitive information like password management could be risky for the user.
- Other services have no built-in trackers, or they’re fewer than LastPass.
A few weeks ago, I told you that it was probably time you started paying for LastPass or any password management app you might be considering. This type of app is a must-have on smartphones and desktops and deserves the premium experience, whether that means paying for a license outright or going for the subscription model. I said that you should be paying for LastPass as the company announced plans to cripple the free tier.
Soon, LastPass users who aren’t paying for LastPass features will have to choose between mobile-only or desktop-only experiences. To get both, you need a subscription. I’m now going to tell you it’s probably time you ditched LastPass and replaced it with something else. That’s because the app is tracking users on Android, which could be a massive security issue on a service meant to guard incredibly sensitive data.
German security researcher Mike Kuketz found that the Android LastPass app contains seven distinct trackers, recommending users to uninstall the app and move to a different password manager.
LastPass uses four Google trackers for analytics and crash reporting and three trackers made by AppsFlyer, MixPanel, and Segment. The Register reports that Segment collects data for marketing teams, offering a “single view of the customer.” The company can profile users and connect their activity across platforms.
The problem isn’t that LastPass might be looking into making money by tracking free users — assuming that LastPass would want to do that. It’s the fact that LastPass has to include tracking code into the app to do it. But Kuketz said that even LastPass can’t know what sort of data a tracker collects, and integrating such code in the app is a privacy and security risk. According to the researcher, trackers like the ones LastPass is using should not be found in password management apps.
Kuketz found that the tracker collects details about the device being used, mobile operator, Last Pass account, and Google Advertising ID. The data also shows when passwords are created and what type they are, although actual usernames or passwords were not found in traffic. There’s no way for the user to opt out of this tracking, and LastPass will not tell you that it collects data, the researcher said. The trackers will collect data from all users, regardless of whether they’re on a free or paid tier.
The Register points out that LastPass rivals 1Password and KeePass do not have any trackers. Bitwarden has two trackers, and Dashlane has four.
LastPass told the blog that “no sensitive personally identifiable user data or vault activity could be passed through these trackers. These trackers collect limited aggregated statistical data about how you use LastPass, which is used to help us improve and optimize the product.”
The company says there is a way of opting out. “All LastPass users, regardless of browser or device, are given the option to opt-out of these analytics in their LastPass Privacy Settings, located in their account here: Account Settings > Show Advanced Settings > Privacy. We are continuously reviewing our existing processes and working to make them better to comply, and exceed, the requirements of current applicable data protection standards.”
The problem is the user isn’t even asked whether he or she agrees to the data transfer.
Even so, moving to a different password manager might be the better move.