Security researcher raises questions about trackers in LastPass Android app

A security researcher has detailed seven trackers inside popular password manager LastPass, that the company itself or other advertisers can utilize to create targeted ads for users of the app.

German security researcher Mike Kuketz has uncovered seven trackers within the LastPass Android app, a password manager that has over 10 million installations in the Google Play Store alone.

The trackers involved were:

• AppsFlyer
• Google Analytics
• Google CrashLytics
• Google Firebase Analytics
• Google Tag Manager
• MixPixel
• Segment

Trackers have come to be expected in certain apps — namely social media and online shopping outlets. The researchers note that something about including trackers in a password vault app seems insidious.

Kuketz points out that immediately after launching LastPass on Android, six of the seven tracking apps activate before the user even interacts with the app. He also points out that at no point is the user asked whether or not they agree to have their data transmitted to the third-party providers.

During his test, Kuketz uncovered that the app tracks what device the user is using, whether the app is being used for free or under a subscription, and if the user prefers to utilize a biometric lock.

LastPass' Android version also continues to track users while they use the app. While the trackers may not receive sensitive content, such as the passwords themselves, they track nearly everything else.

Data tracked includes when a password has been created, what kind of account the user is creating, such as a social media profile versus a bank or credit card account, a user's IP address, a user's current location, and more. There is no way to object to this tracking or opt-out of it, either — a user would need to uninstall to prevent further tracking.

In a follow-up post, Kuketz shared a reader's interaction with LastPass support, who vehemently denied — twice — that the app had any trackers at all.

While no trackers have been confirmed to exist in the iOS or macOS versions of LastPass, a quick glance at the iOS beta's "nutrition label" hints that it's not out of the realm of possibility, either.

Specifically, the LastPass iOS app tracks users location, usage data, contact info, and some user content, which all could be collated and sold to advertisers who then could use the information to target users with ads.

The Register points out that LastPass isn't the only password manager that has trackers, either. Bitwarden and Dashlane both contain trackers, two and four, respectively. However, LastPass rival 1Password and open-source KeePass do not feature trackers at all.

A LastPass spokesperson acknowledged to The Register that while the trackers exist, no personally identifiable user data or password activity is passed through the trackers. They claimed that the trackers only collect limited aggregated statistical data that is used to improve the product.

The information comes at a particularly unfortunate time, as LastPass recently introduced limits on free-tier accounts, restricting them to either computers or mobile devices. Additionally, email support is ending for free service members after March 17. Many users have threatened to leave the service after the change.