LastPass Android app revealed to have seven embedded trackers

By Ewdison Then/Feb. 28, 2021 9:06 pm EST

LastPass may have been one of the most popular password managers in the market but it instantly became the most notorious for a sudden change in its free offering. That, however, may pale in comparison to the latest news that the app you trust to protect your privacy may be doing shady things behind your back, like tracking your device details. Of course, the situation isn't exactly clear-cut nor simple but it may still be an unsettling one given the context.

That mobile apps have embedded trackers is almost an unavoidable yet sad truth these days. Almost all of these, at least the well-meaning ones, use such data for the sake of improving services and quality. Many also use more established trackers like those from Google, so the responsibility and trust are shifted to the third-party provider instead.

There is, however, a certain sense of irony and unease when an app meant for security and privacy uses these trackers and doesn't exactly inform users about them. German security researcher Mike Kuketz discovered seven trackers in the LastPass Android app, four of which are clearly labeled to be Google's. The other three, however, are relatively lesser-known and could become a security liability considering developers don't often know how these pieces of data are used by the service provider.

LastPass assured The Register that no sensitive personally identifiable user data or activity are passed to those trackers. While technically true on some level, some less conscientious actors are able to develop profiles based simply on devices' unique IDs and other seemingly non-identifiable elements. LastPass also described how users can turn off the tracking but the app never informs them that they are being tracked by default in the first place.

The timing of this exposé couldn't have come at a worse time for LastPass given the controversy over its Free account changes. And while it might not be alone in utilizing trackers, rivals 1Password and KeePass were noted to have none of these at all.