A security researcher recommends against LastPass password management after detailing seven trackers found in the Android app, The register reports. Although there is no indication that the trackers, which were analyzed by researcher Mike Kuketz, transmit the user’s actual password or username, Kuketz says that their presence is bad practice for a security-critical app that handles such sensitive information.
In response to the report, a LastPass spokesman said the company collects limited data “on how LastPass is used” to help it “improve and optimize the product.”
LastPass trackers include four from Google that handle analysis and crash reporting, as well as one from a company called Segment, which reportedly collects data for marketing teams. Kuketz analyzed the data that was transferred and found that it included information about the smartphone’s make and model, as well as information about whether a user has activated biometric security. Although the transmitted data is not personally identifiable, only the integration of this third-party code introduces the potential for security vulnerabilities, according to Kuketz.
“If you actually use LastPass, I recommend changing your password management,” Kuketz wrote (via machine translation). “There are solutions that do not send data permanently to third parties and record user behavior.”
LastPass is not the only password manager that includes trackers like this, but it seems to have more than many popular competitors. Free alternative Bitwarden has only two according to Exodus Privacy, while RoboForm and Dashlane have four, and 1Password has none.
The report comes on the heels of the LastPass announcement to limit the functionality of its free level. While free users can currently store an unlimited number of passwords across devices without restriction, they will soon have to select a category of devices to view and manage their passwords on “Mobile” or “Computer” – unless they want to pay for the service. The changes will take effect on March 16.