LastPass Android app has some sneaky tracking software hidden away

LastPass
(Image credit: Future)
Audio player loading…

Keeping track of all the passwords we use daily to access our online accounts and services can be difficult which is why password managers (opens in new tab) such as LastPass (opens in new tab) are becoming increasingly popular among both businesses and consumers.

However, a German security researcher named Mike Kuketz is now advising users to avoid using LastPass' Android app due to the fact that it contains seven embedded trackers. While the company says that users can opt out of these trackers, their very existence could induce risks to such a security-critical application.

According to a new report (opens in new tab) from the non-profit organization Exodus, of the trackers found in the LastPass Android app, four are from Google for analytics and crash reporting while the others are from AppsFlyer, MixPanel and Segment. Segment is particularly concerning because the company gathers data for marketing teams to profile users and connect their activity across different platforms to serve targeted ads (opens in new tab).

In his investigation, Kuketz also looked into what data is transmitted by LastPass' Android app by inspecting the network traffic to discover that it sends details about the device being used, the mobile operator, the type of LastPass account and the Google Advertising ID (opens in new tab) which is able to connect data about a user across different apps.

Tracking in password managers

LastPass wasn't the only password manager examined in Exodus' report and the firm found that 1Password (opens in new tab) and KeePass (opens in new tab) contain no trackers while the open source Bitwarden (opens in new tab) has one for Google Firebase analytical and one for Microsoft Visual Studio crash reporting and Dashlane (opens in new tab) has four trackers.

Password managers are the simplest and most efficient way for people to avoid reusing the same password across multiple sites and services since many contain password generators (opens in new tab) which can create strong, complex and unique passwords with the tap of a button.

In a statement (opens in new tab) to The Register, a spokesperson from LastPass explained that the company uses trackers to improve its own service and that no identifiable user data could be passed on through them, saying:

"No sensitive personally identifiable user data or vault activity could be passed through these trackers. These trackers collect limited aggregated statistical data about how you use LastPass which is used to help us improve and optimize the product. All LastPass users, regardless of browser or device, are given the option to opt-out of these analytics in their LastPass Privacy Settings, located in their account here: Account Settings > Show Advanced Settings > Privacy. We are continuously reviewing our existing processes and working to make them better to comply, and exceed, the requirements of current applicable data protection standards."

Regardless of whether you choose LastPass or a different password manager, investing in such a service can be an excellent way to improve your security posture and avoid falling victim to identity theft (opens in new tab).

Via The Register (opens in new tab)

After working with the TechRadar Pro team for the last several years, Anthony is now the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to the best way to cover your whole home or business with Wi-Fi. When not writing, you can find him tinkering with PCs and game consoles, managing cables and upgrading his smart home.