Security Researcher Discovers Seven Embedded Trackers in LastPass Android App

Seven Embedded Trackers in LastPass Android App

A security researcher from Germany, Mike Kuketz, discovered seven embedded trackers in Lastpass’ Android App. “For an app that processes extremely sensitive data (passwords), this is simply a disgrace,” Kuketz exclaimed. In their defense, LastPass’ claim that users “can opt out if they want”.

LastPass is a popular free password manager. The app has been downloaded over 10 million times from Google’s Play Store alone. It has also received multiple awards from renowned IT magazines and security experts.

With its unique set of features, like secure notes, great multifactor authentication methods, credit monitoring and a digital wallet, it’s a big player in the field of password managers. Moreover, many users consider the free version “almost as good as premium”.

Also, in our review of both the best free password managers and the best password managers, LastPass came out top of class. Even bypassing great alternatives such as RememBear (free or premium version) and 1Password (premium only). Unfortunately for LastPass, this is all about to change…

Seven Embedded Trackers in LastPass Android App

Mike Kuketz, an IT security expert from Germany, decided to check whether LastPass contains any known tracker signatures. Not to single them out, as many applications use them without users realizing, but one needs to start somewhere. To his dismay, Mike Kuketz discovered a total of seven trackers: AppsFlyer, Google Analytics, Google CrashLytics, Google Firebase Analytics, Google Tag Manager MixPanel, and Segment.

“For an app that processes extremely sensitive data (i.e. passwords), this is simply a disgrace”, Kuketz said. “Advertising and analytics modules have no place here. It should be completely out of the question to integrate them into password manager apps.”

Kuketz is part of Exodus, a not-for-profit organization led by “hacktivists”. Volunteers manage the organization. Their aim is to help people get a better understanding of Android application tracking issues. A full list of the trackers Kuketz discovered, as well as the 36 permissions he found in the application, are published on their website.

Trackers Collect Various Data Types

Kuketz tested the Android version of LastPass. Immediately after starting the app, and without any other user interaction, the application contacted almost all named tracking providers. “At tracker bingo someone would probably call out: BINGO! The application does not even ask the user whether he or she agrees to the data transfer to the third-party provider.”

The tracking continued happily during use. The trackers collect various data types. Some applications collect information about the device being used or the type of account (free, family…). Others transmit data about the mobile operator, user IDs, IP addresses and time zone information. Or they can tell from which source the app was installed, whether biometric protection had been activated, when new entries were being created… Thus, even when the trackers don’t actually receive any content data, they can still follow users every step of the way.

The big problem is that sometimes, even app developers do not know what data is being collected and transmitted. Typically, the developer integrates code from the tracking provider into their application. The integration of propriety code, however, is by definition a privacy risk. Moreover, it can also introduce security risks and unexpected behavior.

Absence of Any Opt-Out

LastPass’s (LogMeIn, Inc.) data protection declaration, accessible via the Google PlayStore, only names Google Analytics as a third-party provider or partner. There is no reference to any other trackers. “Overall, one gets the impression that the data protection declaration is kept very general and does not provide sufficient information about which third-party providers the company works with.”

Furthermore, Kuketz couldn’t find any way to object to tracking or opt-out within the app. “Either you use the app and agree to the tracking, or you have to uninstall it,” he said. In his conclusion the security researcher warns that, with the currently available app version, LastPass is likely in violation of the GDPR. He strongly recommends changing to a different password manager.

And yes, there are many password managers out there that don’t use trackers. They help you create strong passwords and will keep them safe, without making any unsolicited use of your data. If you use LastPass and prefer to keep things as they are, at least change your privacy settings. Regardless of browser or device, this can be done in LastPass’ Privacy Settings, located under Account Settings > Show Advanced Settings > Privacy.

IT communication specialist
Sandra has many years of experience in the IT and tech sector as a communication specialist. She's also been co-director of a company specializing in IT, editorial services and communications project management. For she follows relevant cybercrime and online privacy developments.