Android Version of Password Manager LastPass Contains All Kinds of Trackers


The Android version of password manager LastPass includes all trackers, including several from Google. Security researcher Mike Kuketz discovered this after having the app checked by the Exodus platform. Exodus is a "privacy audit platform" for Android applications. The check yielded a total of seven trackers : AppsFlyer, Google Analytics, Google CrashLytics, Google Firebase Analytics, Google Tag Manager, MixPanel and segment.

According to Kuketz, such trackers do not belong in a password manager that processes very sensitive information. "What data these modules collect and send to third parties is sometimes not clear to even the app developers, who add the modules to their apps," said the researcher about the trackers present.

Kuketz states that the trackers send data without users being asked for permission. Tracking also takes place while using the app. "Even if the trackers don't receive content data, they still track the user everywhere they use LastPass and receive metadata in the process." This may include information about a new password, address or bank account, various user IDs and information about the device used.

The researcher concludes that the current Android version of LastPass is likely to violate the GDPR. In addition, he calls the company's approach to security "very questionable". Other password managers such as 1Password and KeePass do not include trackers, according to Exodus' scan. In password manager Bitwarden two trackers are found, while password vault Dashlane has four.

In a response to The Register , LastPass said it will not send sensitive personally identifiable data or data from the password vault to the trackers. The trackers only collect "limited statistical data" on the use of LastPass that the company uses to improve the product, a spokesperson said. LastPass recently hit the headlines for restricting use of the free version to one type of device.seven trackersRegister
Previous Post Next Post