3.3.21

 Popular password manager in the spotlight over web trackers

While the trackers in LastPass’ Android app don’t collect any personal data, the news may not sit well with some privacy-minded users

 By Amer Owaida

 LastPass, a popular password manager, has come under some fire following a report that its Android app features seven built-in advertising and analytics trackers that gather data ranging from the user’s device type and Android version to whether the user is on a free plan and has enabled biometric protection.

Mike Kuketz, a German researcher who disclosed the issue, finds it completely unacceptable for apps that process extremely sensitive data to have advertising and analytics modules integrated into them: “Or to put it in general terms: no proprietary and non-transparent external code may be integrated into apps in which sensitive data is processed. Which data these modules collect and transmit to the third-party providers are sometimes not even known to the app developers themselves, who integrate these modules into their apps,” he added.

Using Exodus, a privacy audit platform for Android applications, Kuketz found that once the Android app is started up, it immediately contacts the tracking providers. The app contains Google Firebase Analytics, Segment, Google CrashLytics, AppsFlyer, Mixpanel, and Google Analytics.

RELATED READING: Six tips to help you avoid targeted marketing

The information collected includes the device’s IP address, screen resolution, time zone, Google Advertising ID, information about the service provider, as well as apparently a one-time generated user ID. While the app is in use, it transmits metadata about new passwords being created and what type they are. The trackers do not, however, gather any content data.

Importantly, users are not asked for consent with having some of their data transmitted to third-party providers and Kuketz called out the app for not letting users to opt out of the data collection. However, a LastPass spokesperson told The Register that the app does actually offer this choice.

“All LastPass users, regardless of browser or device, are given the option to opt-out of these analytics in their LastPass Privacy Settings, located in their account here: Account Settings > Show Advanced Settings > Privacy. We are continuously reviewing our existing processes and working to make them better to comply, and exceed, the requirements of current applicable data protection standards,” the spokesperson said. The company also issued this statement following the report.

RELATED READING: Do apps need all the permissions?

The spokesperson also gave assurances that no sensitive personally identifiable user information or password vault activity can pass through the trackers, adding that the trackers only collect aggregated statistical data about the app’s use, which is then used for optimizing and improving LastPass. It should be noted, however, that some of these trackers are found in several other widely used password managers, too.

Now, while the report may be disconcerting for privacy-minded users, it shouldn’t detract from the benefits of using a password manager – including in order to avoid making these common password creation mistakes. Users looking to double down on their security can choose from a variety of both free and paid solutions, with some even being directly integrated into full-featured security solutions. On that note, adding an extra layer of security in the form of multi-factor authentication is also a desirable option.