Keeping track of all the passwords we use daily to access our accounts and online services can be difficult, so password managers such as Last pass are becoming increasingly popular with businesses and consumers.
However, a German security researcher named Mike Kuketz is now advising users to avoid using the LastPass app for Android due to the fact that it contains seven built-in trackers. Although the company says that users can choose not to receive these trackers, their very existence can lead to risks for this security-critical application.
According to a new report of the non-profit organization Exodus, of the trackers found in the LastPass app for Android, four are from Google for analysis and crash reports, while the others are from AppsFlyer, MixPanel and Segment. The segment is of particular concern because the company gathers data for marketing teams to profile users and connect their activities on different platforms to serve targeted ads.
In his investigation, Kuketz also analyzed what data is transmitted by the LastPass app for Android, inspecting network traffic to find that it sends details about the device being used, the mobile operator, the LastPass account type and the Google advertising ID which is able to connect data about a user in different applications.
Password manager tracking
LastPass was not the only password manager examined in the Exodus report and the company found that 1 password and KeePass contains no trackers while open source Bitwarden has one for Google Firebase analytics and one for Microsoft Visual Studio crash reports and Dashlane has four trackers.
Password managers are the simplest and most efficient way for people to avoid reusing the same password across multiple sites and services, as many contain password generators that can create strong, complex and unique passwords at the touch of a button.
On a demonstration for The register, a LastPass spokesman explained that the company uses trackers to improve its own service and that no identifiable user data can be transmitted through them, saying:
“No sensitive user data or vault activity can be passed through these trackers. These trackers collect limited aggregate statistical data about how you use LastPass, which is used to help us improve and optimize the product. All users of LastPass, regardless of browser or device, they have the option to cancel these reviews in their LastPass Privacy Settings, located in their accounts here: Account Settings> Show Advanced Settings> Privacy. We are continually reviewing our existing processes and working to make them better to meet and exceed, the requirements of current applicable data protection standards. “
Regardless of whether you choose LastPass or a different password manager, investing in such a service can be an excellent way to improve your security posture and avoid falling victim to Identity theft.
Through The register