Seven trackers were found in the LastPass password management app

Seven trackers and eight suspicious permissions were found on LasPass, a password management application with more than 10 million downloads on the Google Play Store.

The trackers were found by German security researcher Mike Kuketz, through the privacy audit platform for Android apps, Exodus Privacy. According to the researcher, once LastPass starts on Android, it immediately communicates with the trackers and starts sending metadata.

Trackers are software that collect usage and behavior data to optimize targeted ads, individually, for each user. The permissions are actions and data that the application is authorized to collect or access from its user and serve the same purpose as trackers.

For the researcher, LastPass is an application that processes extremely sensitive data, such as passwords. The presence of seven trackers, in addition to 36 user action and data collection permissions “is an accusation and is completely out of the question“.

The trackers

The Exodus Privacy platform detected 7 crawlers, 4 of which are from Google. Are they:

• AppsFlyer
• Google Analytics
• Google CrashLytics
• Google Firebase Analytics
• Google Tag Manager
• MixPanel
• Segment

There are 36 permissions in total, eight of which were considered “dangerous” by Exodus Privacy. Permissions allow the app to: access location, Wi-Fi and connectivity information, accessibility, accounts, Near Field Communication (NFC), internally stored files, phone status, record audios, run at startup, collect credentials, modify internally stored files, collect IP address, screen resolution, time zone, Google Advertising ID, network and internet provider information, among others.

“No proprietary and intransparent third-party code can be integrated into applications where sensitive data is processed. The data that these trackers collect and transmit to third-party providers is sometimes not even known to the developers of the application “, writes Mike in a post on his blog Kuketz IT-Security.

It is important to remember that some of these permissions are set at the factory, that is, the app does not ask the user if he agrees to grant the app access to certain data.

According to Exodus Privacy, most password management applications have between 1 and 2 trackers. However, several options are available without a tracker, such as 1Password, SFR Password and Password Bank. On the Exodus list, LastPass is the only one with seven trackers.

In a press release, LastPass reports that allows its users to disable trackers, in the application settings.

“We are continually reviewing our existing processes and working to make them better at meeting and exceeding the requirements of applicable data protection standards,” concludes a LastPass spokesman.

Sources: Mike Muketz; Exodus Privacy; The Register.