More bad news for LastPass users. A security researcher analyzed the LastPass app for Android and discovered it contains seven different embedded trackers. The Register first reported that Mike Kuketz used tools from Exodus Privacy to find the app included trackers. What’s more is previous versions of the app contained 11 embedded trackers, several from Facebook.
Update: The LastPass app for iOS has the same marketing trackers. LastPass sent us an official comment regarding trackers, too. More on that below.
LastPass Third Party Trackers
Exodus Privacy is a non-profit organization led by “hacktivists” with the purpose of helping Android users get a better understanding of app tracking issues. The Exodus Report found the following seven embedded trackers in LastPass for Android:
- Google Analytics
- Google CrashLytics
- Google Firebase Analytics
- Google Tag Manager
Four of the trackers are from Google and are for the purpose of app crash analytics reporting and your Google Advertiser ID. Others, like Segment or AppsFlyer are designed for profiling and marketing to users across different platforms. Simply put, they are used to create a digital user profile and target ads based on the behavior and interests of the users.
While the trackers were embedded, there was no guarantee they were phoning home. But Kuketz continued his research with network monitoring and discovered the app reached out to nearly all of the tracker’s servers without asking user permission first.
This is how trackers for most free apps work and how companies and other app devs are able to monetize the product. This may sound reasonable for a free game like Angry Birds (or whatever app is hot these days). Or even for users of the free version of LastPass. After all, the company needs to make money in some way. But since the trackers are embedded in the app, even Premium LastPass users are being tracked and their behaviors monetized.
It’s important to note that trackers don’t transfer any username or password data. But they do seem to know when you create a password and what type. The information revealed to the tracker companies can include your device type, Android version, cellular carrier, type of LastPass account (free or paid), and your Google Advertising ID.
There Used to Be More
What is even more concerning is the company’s app contained 11 trackers in previous versions. According to an audit of the app, created in 2019 by Exodus, for LastPass version 4.11.4576, it shows trackers from Facebook, Google, and others. You can view that report here.
So, it looks like over the past couple of years the app has ditched the Facebook trackers and is now down to just seven.
LastPass’s Awkward Response
A LastPass spokesperson told The Register: “No sensitive personally identifiable user data or vault activity could be passed through these trackers. These trackers collect limited aggregated statistical data about how you use LastPass which is used to help us improve and optimize the product.”
The spokesman went on to say: “All LastPass users, regardless of browser or device, are given the option to opt-out of these analytics in their LastPass Privacy Settings, located in their account here: Account Settings > Show Advanced Settings > Privacy.”
However, I tried to go to that location in the app and found nowhere to opt-out. I scoured the LastPass app settings and I wasn’t able to find anywhere to opt-out.
I then went to my computer and used the extension to log into my Vault. There I found a location in Account Settings > Show Advanced Settings > Privacy. I was able to uncheck the “Track History” and “Help Improve LastPass” options.
This, however, doesn’t opt you out of third-party trackers while using the app. Also, I was not able to find an opt-out section on the iOS app either.
LastPass is Not Alone
Now to be fair, it is important to note that LastPass isn’t the only password manager that is using embedded trackers in its apps. According to Exodus Privacy, other password managers with trackers include:
- Bitwarden has two trackers
- MYKI has two trackers
- LogMeOnce has three trackers
- Dashlane has four trackers
- RoboForm has four trackers
- NordPass has four trackers
Not all the trackers are equally creepy. For example, Bitwarden’s trackers seem harmless and are only for app crash analytics, for example. Bitwarden doesn’t include AppsFlyer, MixPanel, or Segment which are used for marketing. But NordPass, on the other hand, has AppsFlyer baked in.
The best appears to the open-source Keepass with zero trackers. And for a subscription service, the winner is 1Password which doesn’t include any trackers in its Android app, either. Of course, it has always been a paid service and never offered a free tier.
Do Your Own App Audit
You can find these embedded app trackers for yourself by using the Exodus Privacy tool for Android and run it on your phone. I ran it on an old OnePlus 6T with the LastPass app installed.
This tool is a good way to find out which other installed apps on your Android phone are tracking your online behavior.
What About iOS? (Update: It Has Trackers Too)
The iOS app has trackers, too. Apple keeps its mobile OS tightly controlled and there is no Exodus Privacy tool for it. However, you can find some vague information about potential tracking issues if you read the iOS app’s so-called privacy “nutrition” label.
Upon further investigation, I found that the iOS app contains the same marketing trackers. I used the Privacy Pro tool from Disconnect. It detects and blocks trackers from all of your installed apps. I launched the LastPass app on my iPhone and then inspected the Privacy Pro “Stats & activity logs” section.
It found and blocked the marketing trackers — Segment, AppsFlyer, and Mixpanel.
LastPass’s Official Statement on Trackers
Update: I reached out to LastPass for a comment about these trackers and they sent me the following statement:
As the best password manager in the market, our commitment to the privacy and security of
our millions of users is always a top priority at LastPass. That’s why we designed LastPass with a patented zero-knowledge security model to protect sensitive customer data. No sensitive personally identifiable user data is passed through these trackers. These trackers are industry standard mobile analytics tools and are used for a limited purpose – to collect aggregated statistical data about how LastPass is used to help us improve and optimize the product to deliver the best user experience. We are continuously reviewing our existing processes to ensure we are prioritizing our customer’s privacy and security. For more information on our commitment to privacy and user experience, please read our blog post.
The reason why LastPass (which is owned by LogMeIn) includes far more trackers than other password managers isn’t clear. Of course, one has to look at it cynically and assume the company just wants to make money however it can. Even if you are paying for the Premium version at $36/year the trackers are there.
After Kuketz’s research, his advice is to not use LastPass. This because, in his opinion, the presence of trackers demonstrates a suboptimal attitude to security.
This news comes on the heels of LastPass free users being upset about device restrictions coming on March 16th. Free users must choose either mobile or desktop to view and manage passwords. Free users are also losing email support. Using a password manager is essential for best internet security practices. Luckily, there are alternatives to LastPass. You might want to move from LastPass to Bitwarden or a paid service like 1Password.
No matter which service you move to make sure you export your LastPass Password Vault first. Then after your passwords are safely imported to your new service you can go ahead and delete your LastPass account.
This article will be updated with any new developments.