Popular password manager in the spotlight over web trackers
While the trackers in LastPass’ Android app don’t
collect any personal data, the news may not sit well with some privacy-minded
users
Mike Kuketz, a German
researcher who disclosed the issue, finds it completely unacceptable for apps that
process extremely sensitive data to have advertising and analytics modules
integrated into them: “Or to put it in general terms: no proprietary and
non-transparent external code may be integrated into apps in which sensitive
data is processed. Which data these modules collect and transmit to the
third-party providers are sometimes not even known to the app developers
themselves, who integrate these modules into their apps,” he added.
Using Exodus, a privacy audit
platform for Android applications, Kuketz found that once the Android app is
started up, it immediately contacts the tracking providers. The app contains
Google Firebase Analytics, Segment, Google CrashLytics, AppsFlyer, Mixpanel,
and Google Analytics.
RELATED
READING: Six tips to help you avoid targeted
marketing
The information collected
includes the device’s IP address, screen resolution, time zone, Google
Advertising ID, information about the service provider, as well as apparently a
one-time generated user ID. While the app is in use, it transmits metadata
about new passwords being created and what type they are. The trackers do not,
however, gather any content data.
Importantly, users are not
asked for consent with having some of their data transmitted to third-party
providers and Kuketz called out the app for not letting users to opt out of the
data collection. However, a LastPass spokesperson told The Register that the app does actually offer this choice.
“All LastPass users,
regardless of browser or device, are given the option to opt-out of these
analytics in their LastPass Privacy Settings, located in their account
here: Account Settings > Show Advanced Settings > Privacy. We
are continuously reviewing our existing processes and working to make them
better to comply, and exceed, the requirements of current applicable data
protection standards,” the spokesperson said. The company also issued this statement following the report.
RELATED
READING: Do apps need all the permissions?
The spokesperson also gave
assurances that no sensitive personally identifiable user information or
password vault activity can pass through the trackers, adding that the trackers
only collect aggregated statistical data about the app’s use, which is then
used for optimizing and improving LastPass. It should be noted, however, that
some of these trackers are found in several other widely used password
managers, too.
Now, while the report may
be disconcerting for privacy-minded users, it shouldn’t detract from the
benefits of using a password manager – including in order to avoid making these common password
creation mistakes. Users
looking to double down on their security can choose from a variety of both free
and paid solutions, with some even being directly integrated into full-featured
security solutions. On that note, adding an extra layer of security in the form
of multi-factor authentication is also a desirable option.