LastPass Android app tracking users, says researcher [updated]

The Google Play app store page for the LastPass password manager on the screen of an Android phone.
(Image credit: Sharaf Maksumov/Shutterstock)

LastPass does more tracking of its mobile users than any other leading password manager, says a German security researcher. And these trackers can see a lot of what you're doing in the LastPass app.

Mike Kuketz wrote on his blog this past weekend that the current LastPass Android app contains seven trackers, as reported by online app-privacy analyzer Exodus.

By contrast, rival password manager Dashlane's Android app has four trackers, while Keeper and Bitwarden's have two each and 1Password's has zero. Presumably, iOS apps weren't examined.

Most of the seven LastPass trackers, including four very common Google ones, are for keeping tabs on performance and crashes. But at least three trackers — AppsFlyer, MixPanel and Segment — are designed to send user data to third parties, Kuketz said.

"For an app that processes extremely sensitive data (passwords), this is simply an indictment," reads the Google Translate version of Kuketz's blog post. "Advertising and analytics modules simply have no place in this — it is completely out of the question to integrate them into password manager apps."

(In the original, in case we got something wrong, that's "Für eine App, die äußerst sensible Daten (Passwörter) verarbeitet, ist das schlichtweg ein Armutszeugnis. Werbe- und Analytik-Module haben darin schlichtweg nichts verloren — es ist vollkommen indiskutabel, diese in Passwort-Manager-Apps zu integrieren.")

LastPass' statement

The Register, which earlier reported this story, reached out to LastPass.

"No sensitive personally identifiable user data or vault activity could be passed through these trackers," The Register said a LastPass spokesperson replied. "These trackers collect limited aggregated statistical data about how you use LastPass which is used to help us improve and optimize the product."

Phoning home with lots of data

Now, as The Register pointed out, LastPass has a lot of free users — though it's set to lose many of them next month due to policy changes — so you might think it's entitled to make at least a little money on them. 

Kuketz thinks the LastPass trackers, which even LastPass arguably may not know much about, sent out too much information regardless. He fired up the LastPass app and watched what the trackers transmitted back to home base. 

According to him, the MixPanel tracker sent out the device maker, Android version, model number, device ID, LastPass account type and whether the LastPass app had biometric login and autofill enabled. 

AppsFlyer, Kuketz said, sent out most of that plus the name of the cellular network operator, the Android ad ID and a mysterious user ID.

Some of that sounds OK, but it's been well established by other researchers that Android ad IDs can be used to physically track individuals geographically.

Watching what you do

Kuketz said he created a new account using the LastPass Android app, and the Segment tracker trasmitted a message ID, the time zone, the country of location, the device IP address, and what the LastPass app was doing — in this case, "onboarding password."

In other words, Kuketz argues, the trackers on the LastPass app can see where you are, which language you use, what kind of LastPass account you're using and what you're doing with the app, such as adding a new password or bank-account number. 

The trackers can't actually view the password or bank-account number you're entering, but it's still creepy to learn they're aware of the fields into which you're entering data.

"Extremely sensitive information such as access data, notes, bank accounts, etc. is stored in password managers," wrote Kuketz, according to Google Translate. "And even if the trackers do not receive any content data, they follow the user every step of the way when using LastPass."

(Auf Deutsch: "In Passwort-Managern werden (äußerst) sensible Informationen wie Zugangsdaten, Notizen, Bankkonten etc. hinterlegt. Und auch wenn die Tracker keine Inhaltsdaten erhalten, so verfolgen sie den Nutzer auf Schritt und Tritt bei der Nutzung von LastPass.")

It's worth noting that none of the four other password managers mentioned above seem to use AppsFlyer, MixPanel or Segment, according to Exodus. But Dashlane does use two others that seem to track user behavior, and Keeper uses one of those. Bitwarden's two trackers seem harmless, and as earlier mentioned, 1Password has no trackers at all.

[Update: Keeper alerted us to this blog post explaining it had removed the one possibly problematic tracker its Android app did have. The Exodus page for Keeper now reflects that.]

How to opt out of this data collection

Kuketz says there's no way to opt out of this data collection within the app, and we couldn't find one either. However, the LastPass spokesperson told The Register that there is a way.

"All LastPass users, regardless of browser or device, are given the option to opt-out of these analytics in their LastPass Privacy Settings, located in their account here: Account Settings > Show Advanced Settings > Privacy."

In the LastPass web-browser interface, that takes you to two lines that are checked on by default: "Keep track of login and form fill history" and "Send anonymous error reporting data to help improve LastPass."

When clicked on, the information bubbles next to each line say, "Maintain a history of your website logins and form fills. When disabled, History and Recent Sites will be empty on the vault and extension, respectively," and "Anonymous data is aggregated but not shared with third parties." 

Kuketz says that based on his findings, LastPass users should switch to other password managers. We're going to disagree with him and keep it as our top recommendation for the best password managers, though this does open our eyes a bit.

Tom's Guide has reached out to LastPass as well, and we will update this story when we receive a reply.

Update: LastPass responds to us

A LastPass spokesperson responded to our query with this statement:

"The privacy and security of our users is always a top priority at LastPass, which is why LastPass was designed with a patented zero-knowledge security model to protect sensitive customer data. 

No sensitive personally identifiable user data could be passed through these trackers. These trackers are used for a limited purpose — to collect aggregated statistical data about how LastPass is used to help us improve and optimize the product to deliver the best user experience. 

We are continuously reviewing our existing processes to ensure we are prioritizing our customers' privacy and security."

Paul Wagenseil

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.