- Researchers discovered that LastPass for Android requests 36 permissions and uses seven trackers.
- The password manager app answers that users may disable the trackers through the privacy settings.
- This comes at an already transitional point for LastPass, and it doesn’t help in converting free users to paying subscribers.
German researchers of the Kuketz IT-Security team have discovered that the LastPass app for Android, currently installed in about ten million devices, contains seven trackers and requests 36 permissions, including recording audio, get accounts list, access fine location, and read and write external storage.
That doesn’t sound very good for a password manager, and the discovery of the above comes at a pivotal moment for the particular product. Currently, a large number of LastPass users who were enjoying the free tier are jumping to other platforms, so the news about privacy-risking trackers will only accelerate this.
The trackers that were found to be active in the app are the following:
- Google Firebase Analytics (firebaseinstallations.googleapis.com)
- Segment (cdn-settings.segment.com)
- Google CrashLytics (firebase-settings.crashlytics.com)
- AppsFlyer (inapps.appsflyer.com)
- Mixpanel (api.mixpanel.com)
- Google Analytics (ssl.google-analytics.com)
- Google Tag Manager
In general, the above have no place in a password management app, and the only possible explanation for their existence is to monetize memberships. For the free tier, that’s understandable to the point of being expected, but there’s no distinction between free and paid members. The app treats both categories the same, activating all trackers, even for those who pay for the "Premium" tier.
As the researchers comment, in the vast majority of the deployments of these advertising and analytics modules, the apps don’t even know which data is collected and transmitted to various third-party providers, who these entities are, how many they are, what are they using the user data for, etc. LastPass puts its userbase into unnecessary privacy-invasion trouble, and we’re actually phrasing it very lightly here.
The Kuketz team doubles down on our suggestion of KeePass, an open-source password manager that doesn’t use any tracking code on its Android or desktop apps. Also, the researchers confirm to have tested 1Password and found no trackers in it either.
LastPass didn’t remain silent in front of these revelations. A spokesperson told The Register that users have the option to opt-out of these analytics by changing the settings on the app. If you want to do that, go to Account Settings > Show Advanced Settings > Privacy.
While giving a choice to disable trackers is good, having them active by default and even for paying users is still very bad no matter how we approach this. Also, the 36 permissions (eight of which are classified as “dangerous”) aren’t configurable through the settings and remain a crucially problematic area.