LastPass Android app tracks its users

[German]Users of the Android app LastPass (password manager) should consider removing it from their devices. German security researcher Mike Kuketz has found several trackers in the Android app that monitor devices and users.

What is LastPass?

LastPass  is a web-based password manager online service. It has been offered in a freemium model since 2008. It offers a web interface, numerous browser add-ons and its own apps for Android and iOS. LastPass can thus be used to store access data. On its website, the company advertises "Easy and secure access to all online resources, anywhere." It also promises free seamless access on all devices. The Android app LastPass from LogmeIn Inc. is offered free of charge in the Google Play Store and can look back on almost 200,000 downloads in the current version. The below mentioned Mike Kuketz states over 10 million installations.

The product is widely advertised by IT sites, so it should be in use by many users. However, every user should be aware of the risk here. Vulnerabilities have made it possible to steal access data in the past, and the user gets his hands on the access data in his app. So trust is a high commodity with something like this, unless you use the browsers' password management or paper and pencil or some other authentication method.

Android app with trackers

German security researcher Mike Kuketz  checked various password manager apps for Android for their security. He examined the Android app with Exodus Privacy for signatures of trackers and published his findings in this German blog post. He found seven trackers in the app.

• AppsFlyer
• Google Analytics
• Google CrashLytics
• Google Firebase Analytics
• Google Tag Manager
• MixPanel
• Segment

Kuketz writes that advertising and analytics trackers are a no go in a security app – a position we can certainly agree with. These trackers allow the developer to see what the user is up to. Kuketz then took a closer look at the app and analyzed the information that is sent over the network. He writes that all tracking providers are contacted immediately after the app is launched:

• Google Firebase Analytics (firebaseinstallations.googleapis.com)
• Segment (cdn-settings.segment.com)
• Google CrashLytics (firebase-settings.crashlytics.com)
• AppsFlyer (inapps.appsflyer.com)
• Mixpanel (api.mixpanel.com)
• Google Analytics (ssl.google-analytics.com)

There is no question about data transmission by the app, which would actually be required (the tracker probably does not provide for the query). Kutketz then picks out Mixpanel. The tracker transmits a number of characteristic data, from the Android version to the contractual relationship and whether the device has telephony features. In addition, the app wants a lot of permissions. According to Kuketz, the Google Advertising-ID of the device, information about the mobile carrier (operator "PureMobile") and also a uniquely generated UID is among the information transmitted. The details can be read on Kuketz's blog.

Mike`s conclusion: the app is likely to violate the GDPR and the trackers do not go at all in such a sensitive application. The Register, who picked up on this, write that 1Password and KeePass don't have this. And the discussion on the above topic comes at the wrong time, as I had a "there was something" going on in my head while writing this post. A few days ago LastPass had limited the free version of the app to use on one device, as you can read at The Register. Made many users switch to other password managers. The Register checked with the developer and got the answer from a LastPass spokesperson:

No sensitive, personally identifiable user data or vault activity can be shared through these trackers.  These trackers collect limited aggregate statistical data about how you use LastPass that helps us improve and optimize the product.

All LastPass users, regardless of browser or device, have the ability to opt-out of these analytics in their LastPass privacy settings, located in their account here: Account Settings > View Advanced Settings > Privacy. We continually review our existing processes and work to improve them to meet and exceed the requirements of currently applicable privacy standards.

It may possibly be true, but I wouldn't have a good feeling about such a mixed bag. Personally, I don't use password managers, but rely on other methods. What's your take on this?