When it comes to account security, using a password manager is generally a good idea. But what happens if that password manager is tracking what you’re doing and not even telling you? According to security researcher Mike Kuketz, the LastPass Android app has seven embedded trackers, and LastPass may not know what data they collect.
As first spotted by The Register, Kuketz used tools from Exodus Privacy to examine the LastPass Android app and discovered seven trackers embedded in its code:
- Google Analytics
- Google CrashLytics
- Google Firebase Analytics
- Google Tag Manager
While Exodus Privacy confirms the presence of trackers, that doesn’t guarantee they do anything. So Kuketz followed up with network monitoring while setting up a new LastPass account. He discovered that the app reached out to nearly every tracker’s servers without asking permission first.
Further inspection doesn’t suggest that the trackers transferred any username or password data, but it does seem to know when the user creates a password and what type. Kuketz says that including a tracking code of this type in a password manager (or similar security-focused app) isn’t acceptable, as the developers can’t be fully aware of what the tracking code collects. That’s because trackers often use proprietary code that isn’t open for inspection.
The amount of data does seem to be extensive, revealing information about the device in use, the cell phone carrier, the type of LastPass account, and the user’s Google Advertising ID (used to connect data about the user across apps). It’s enough data to build an extensive profile around the most private information you store.
In a statement to The Register, a LastPass Spokesperson said, “…no sensitive personally identifiable user data or vault activity could be passed through these trackers.” The spokesperson went on to say you can opt-out of the analytics in the settings menu. Still, between this report and the recent change LastPass made to force free-tier users to choose between desktop and mobile syncing, it may be time to move onto another alternative like Bitwarden or 1Password.
via The Register