Security researcher details seven trackers found in the LastPass Android app

The researcher recommended LastPass users find a different password manager

LastPass on Android

A security researcher recommended LastPass users switch to an alternative password manager after uncovering seven trackers utilized in its Android app.

In a blog post, security researcher Mike Kuketz (source is in German) details the trackers, mostly handling crash and app analytics. Although the trackers don’t transfer critical data, like passwords or usernames, Kuketz says the trackers’ inclusion is terrible practice for critical security apps like password managers.

Four of the LastPass trackers come from Google and handle analytics and crash reporting. There’s also a tracker from a company called Segment, which appears to gather data for marketing teams. According to The Register, it claims to offer a “single view of the customer” by profiling users and connecting their activity across different platforms, likely to personalize ads.

Kuketz also analyzed the data transmitted by these trackers and found it included information about the smartphone’s make and model. The trackers also shared information about whether the user enabled biometric security. Regardless if the trackers share information that isn’t personally identifiable, Kuketz notes that integrating third-party code into an app introduces the potential for security vulnerabilities. He goes on to recommend changing to a password manager that doesn’t have trackers.

A website called Exodus, which analyzes Android apps and lists embedded trackers, details the trackers present in other popular password managers. For example, Bitwarden has two trackers — Google Firebase Analytics and a Microsoft Visual Studio tracker for crash reporting. According to Exodus, RoboForm and Dashlane have four trackers, while Toronto-based 1Password doesn’t have any trackers.

The report comes after LastPass announced plans to restricts its free tier. Starting March 16th, the company will lock free users to one type of device — mobile phones or computers. The announcement has caused some free users to look elsewhere for their password management needs. Combined with the tracking issue, more people may want to switch password managers — if you find yourself in that boat, we’ve got a list of excellent alternatives you can view here.

Source: Mike Kuketz Via: The Register, The Verge