German cybersecurity expert Mike Kuketz noticed that the LastPass Android app has seven trackers that monitor users. The researcher builds his findings on the report of the non-profit organization Exodus, which is described as an initiative “led by hacktivists, the goal of which is to help people understand the problems of tracking in Android applications.”
Seven trackers were found in the password manager, including four from Google that collect data for analytics and crash reporting, as well as AppsFlyer, MixPanel and Segment. For example, the latter collects information for marketing teams, and its developers write that the tool offers to create a “single view of the customer” by profiling users and linking together their actions on different platforms (presumably to personalize ads).
At the same time, the researcher warns that often application developers do not know at all what data trackers collect and what they transfer to third parties. As a result, integrating someone else’s proprietary code into an application can be dangerous and can lead to data leakage. According to the expert, there is no place for such trackers in a password manager, whose security is extremely important.
According to the expert, LastPass transmits to the side information about the device used, the carrier, the type of the LastPass account, the Google advertising ID (which can be used to link user data from different applications). In addition, trackers “know” when a user creates new passwords and what type they are.
LastPass representatives have already assured the media that with the detected trackers it is impossible to transfer confidential user data, and their storage is also safe. It is emphasized that trackers only collect statistical information about the use of the application, which is used to improve and optimize the product. In addition, user can opt out of collecting analytics in the settings.
Let me remind you that ToTok messenger turned out to be a tool for total tracking.