Published on March 1st, 2021 📆 | 5947 Views ⚑0
LastPass found to have seven trackers inside its Android Application
Last Pass is in the news for the new changes to its free tier that restricts users to a single device. That caused a lot of stir with users jumping ship to other similar password managers like Bitwarden, that offer similar features minus the restrictions of keeping you restricted to one device in the free tier. I tried Bitwarden and it’s good but it is still difficult for many users to leave LastPass. Well, the motivation got a little higher today as the password manager is found to have seven trackers activated by default for every user. The feature is restricted to the Android application only and was not found in the browser extension of LastPass.
Should I be that worried about a tracker present inside LastPass?
Trackers are common in mobile applications, mostly Android, and serve a lot of useful functionalities. They are although not necessary for every application and when it comes to the implementation of trackers for a password manager, I don’t see any sense in using Profiling and advertisement trackers. It seems the company is trying to leverage the user behavior patterns accumulated over time by selling it and making some revenue from it.
Try to understand it this way. Alphabet and Google are the two largest data buyers of the globe. Including Google trackers for analytics, crash reports are seemingly common these days as you are building an Android application and need to know the errors faced by the users. But throwing trackers like MixPanel and Segment into the mix is not necessary. These trackers are offered by the companies as SDK’s and are compiled into the code. Even the developers have no idea about what exactly the tracker does inside the application. Including such trackers inside a password managing application is allowing self-made loopholes into the security of the system.
The find was made by the German penetration tester Mike Kuketz when he put the Android application of LastPass to test. He was shocked to find that the trackers were monitoring network traffic too and we’re getting hold of the device make and model, your cellphone operator, type of LastPass account, and the Google Advertising ID. The trackers also have information on when the new passwords were created and what type of passwords they were. All this was hidden beneath the layers of the application, with no visible option for the users to opt-out of such data collection.
LastPass is surely not interested in being the simple password manager brand they once were. As soon as any brand grows, the lust to sell user data for advertisement becomes stronger. For a password manager, it is outright deception with its users. I certainly wouldn’t want any of the advertisement moguls to know what websites I visit, when did I do that, and especially them serving ads to me about it. Profiling of users is becoming an inescapable issue and needs to strategically countered by the users.
LastPass spokesperson was contacted to issue a statement about the trackers existing in the application. The spokesperson, like every other frontline PR warrior, issued a statement that puts the responsibility on the users. The statement: “No sensitive personally identifiable user data or vault activity could be passed through these trackers. These trackers collect limited aggregated statistical data about how you use LastPass which is used to help us improve and optimize the product.”
“All LastPass users, regardless of browser or device, are given the option to opt-out of these analytics in their LastPass Privacy Settings, located in their account here: Account Settings > Show Advanced Settings > Privacy. We are continuously reviewing our existing processes and working to make them better to comply, and exceed, the requirements of current applicable data protection standards.”
According to Exodus, the password managers do not need trackers such as MixPanel and Segment. A few examples like 1password and KeePass exist, that have zero trackers in their applications. I hope that LastPass learns a thing or two from these password managers and removes the profiling and advertisement trackers from its applications. You can also disable the trackers by following the steps described by the spokesperson of LastPass.