LastPass for Android Is Using Seven Trackers and Several Risky Permissions

  • Researchers discovered that LastPass for Android requests 36 permissions and uses seven trackers.
  • The password manager app answers that users may disable the trackers through the privacy settings.
  • This comes at an already transitional point for LastPass, and it doesn’t help in converting free users to paying subscribers.

German researchers of the Kuketz IT-Security team have discovered that the LastPass app for Android, currently installed in about ten million devices, contains seven trackers and requests 36 permissions, including recording audio, get accounts list, access fine location, and read and write external storage.

That doesn’t sound very good for a password manager, and the discovery of the above comes at a pivotal moment for the particular product. Currently, a large number of LastPass users who were enjoying the free tier are jumping to other platforms, so the news about privacy-risking trackers will only accelerate this.

The trackers that were found to be active in the app are the following:

  • Google Firebase Analytics (firebaseinstallations.googleapis.com)
  • Segment (cdn-settings.segment.com)
  • Google CrashLytics (firebase-settings.crashlytics.com)
  • AppsFlyer (inapps.appsflyer.com)
  • Mixpanel (api.mixpanel.com)
  • Google Analytics (ssl.google-analytics.com)
  • Google Tag Manager

In general, the above have no place in a password management app, and the only possible explanation for their existence is to monetize memberships. For the free tier, that’s understandable to the point of being expected, but there’s no distinction between free and paid members. The app treats both categories the same, activating all trackers, even for those who pay for the "Premium" tier.

As the researchers comment, in the vast majority of the deployments of these advertising and analytics modules, the apps don’t even know which data is collected and transmitted to various third-party providers, who these entities are, how many they are, what are they using the user data for, etc. LastPass puts its userbase into unnecessary privacy-invasion trouble, and we’re actually phrasing it very lightly here.

The Kuketz team doubles down on our suggestion of KeePass, an open-source password manager that doesn’t use any tracking code on its Android or desktop apps. Also, the researchers confirm to have tested 1Password and found no trackers in it either.

LastPass didn’t remain silent in front of these revelations. A spokesperson told The Register that users have the option to opt-out of these analytics by changing the settings on the app. If you want to do that, go to Account Settings > Show Advanced Settings > Privacy.

While giving a choice to disable trackers is good, having them active by default and even for paying users is still very bad no matter how we approach this. Also, the 36 permissions (eight of which are classified as “dangerous”) aren’t configurable through the settings and remain a crucially problematic area.

REVIEW OVERVIEW

Latest

How to Watch MasterChef Season 12: Back to Win Online From Anywhere

MasterChef is returning for its twelfth season, which will be an all-star season where contestants will be returning for a second chance...

How to Watch The Great American Tag Sale With Martha Stewart Online From Anywhere

Are you ready to see the fabulous Martha Stewart in a great American tag sale? This new show will premiere soon, and...

How to Watch Expedition Unknown Season 10 Online From Anywhere

Discovery's 'Adventure Wednesday' lineup is back this summer, and viewers will be treated to all-new episodes of the reality television series Expedition...
For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: Chrome, Edge, Firefox, Safari