Password manager LastPass collects potentially large amounts of data about its users via its Android app. According to a security researcher, the company has implemented as many as seven so-called trackers in its app.
- LastPass cannot see exactly what data trackers can collect
- Does not ask for permission when contacting tracker servers
- LastPass promises that no privacy-sensitive data is saved
- Competitors do not have as many trackers (some none at all!)
A track is used to track users and store different types of data about how individuals use apps and their mobile phone. Normally there are no strange things, we use for example Google Analytics to know which articles have the most visitors.
What makes everything a little sensitive for LastPass is that the company handles extremely personal data, such as passwords, usernames and debit card information.
Even worse for LastPass, even though the data collected is not privacy sensitive, is that competitors do not have as many (or any) trackers in their apps. Ouch.
Here is the full list of trackers that LastPass uses in its Android app:
- AppsFlyer
- Google Analytics
- Google CrashLytics
- Google Firebase Analytics
- Google Tag Manager
- MixPanel
- segment
The list comes from security researcher Mike Kuketz. He has investigated which trackers they are, the data they collect and what the process looks like.
What Mike Kuketz noted is, among other things, that the LastPass app contacts all seven tracker servers WITHOUT asking the user for network access first.
There are no indications that any tracker would identify usernames and passwords to save them. However, the app can store information about when passwords are created and what type of password it is.
Reading tips: LastPass degrades for free users – no support & few devices
The problem? LastPass can not possibly know exactly what data that several of these trackers collect, because many use proprietary code that LastPass does not have access to – which opens up for serious security problems.
Even worse for LastPass is that not all major competitors have the same number of trackers nearby.
A spokesperson for LastPass tells the website The Register that “… No sensitive personally identifiable user data or vault activity could be passed through these trackers.” It is also possible to turn off all trackers via the settings, although we absolutely think it should be an opt-in and not an opt-out in this case.
