When it comes to account security, using a password manager is generally a good idea. But what if that password manager keeps track of what you do and doesn’t even tell you? According to security researcher Mike Kuketz, the LastPass Android app has seven built-in trackers, and LastPass may not know what data they are collecting.
As first noted by The Register, Kuketz used tools from Exodus Privacy to investigate the LastPass Android app and discovered seven trackers embedded in the code:
- Google Analytics
- Google CrashLytics
- Google Firebase Analytics
- Google Tag Manager
While Exodus Privacy confirms the presence of trackers, that doesn̵
Further inspection does not suggest that the trackers have transferred username or password information, but it does seem to know when the user creates a password and what type. Kuketz says that including such a tracking code in a password manager (or similar security-focused app) is not acceptable because the developers don’t fully know what the tracking code is collecting. That’s because trackers often use proprietary code that cannot be inspected.
The amount of data appears to be huge, revealing information about the device being used, the cell phone provider, the type of LastPass account and the user’s Google advertising ID (used to link data about the user between apps). It’s enough data to build a comprehensive profile around the most personal information you store.
According to Exodus Privacy, other password managers don’t use that many trackers. Bitwarden has two, RoboForm and Dashlane have four, and 1Password has none. It’s not clear why LastPass uses so many of them.
In a statement to The Register, a LastPass spokesperson said, “… no sensitive personally identifiable user information or vault activity can be communicated through these trackers.” The spokesperson further said you can opt out of the analysis in the settings menu. But between this report and the recent change LastPass made to force free tier users to choose between desktop and mobile sync, it may be time to switch to another alternative, such as Bitwarden or 1Password.
via The Register