Popular password manager in the spotlight over web trackers

Popular password manager in the spotlight over web trackers

While the trackers in LastPass’ Android app don’t collect any personal data, the news may not sit well with some privacy-minded users

LastPass, a popular password manager, has come under some fire following a report that its Android app features seven built-in advertising and analytics trackers that gather data ranging from the user’s device type and Android version to whether the user is on a free plan and has enabled biometric protection.

Mike Kuketz, a German researcher who disclosed the issue, finds it completely unacceptable for apps that process extremely sensitive data to have advertising and analytics modules integrated into them: “Or to put it in general terms: no proprietary and non-transparent external code may be integrated into apps in which sensitive data is processed. Which data these modules collect and transmit to the third-party providers are sometimes not even known to the app developers themselves, who integrate these modules into their apps,” he added.

Using Exodus, a privacy audit platform for Android applications, Kuketz found that once the Android app is started up, it immediately contacts the tracking providers. The app contains Google Firebase Analytics, Segment, Google CrashLytics, AppsFlyer, Mixpanel, and Google Analytics.

RELATED READING: Six tips to help you avoid targeted marketing

The information collected includes the device’s IP address, screen resolution, time zone, Google Advertising ID, information about the service provider, as well as apparently a one-time generated user ID. While the app is in use, it transmits metadata about new passwords being created and what type they are. The ..