The thing about password managers is that a security issue there tends to be significantly more severe than with most another applications on a device. Even if you all you get is data exfiltration…well, you’re still exfiltrating some pretty fucking important data.<\/p>\n\n\n\n
Which is why this story<\/a> about trackers in LastPass for Android…is less than encouraging.<\/p>\n\n\n\n\n\n\n\n Quick summary of the story is that German researcher Mike Kuketz saw LastPass listed in Exodus Privacy’s database of apps with tracking code embedded and decided to look at what was being sent back…which turned out to be a lot more than was really a good idea.<\/p>\n\n\n\n Now, trackers and analytics code can potentially be used for good — there’s a reason developers appreciate having crash reports handy when something breaks — but they’re also very easy to use for evil. If you’re going to stick things like that into your app, you need to be careful about what data you’re gathering. Especially if the app in question is a password manager.<\/p>\n\n\n\n LastPass is not an example of being careful.<\/p>\n\n\n\n Most password managers on Android don’t stick trackers in at all, and those that do usually stick to ones designed for analytics and crash reporting. Bitwarden, for example<\/a>, uses Google Firebase and a Microsoft Visual Studio crash report plugin. However, LastPass includes multiple trackers designed specifically for advertising. Integrating code you don’t control into your software can be a dicey proposition, but there are plenty of times when it’s safer than the alternative. Taking code literally written for the purpose of monetizing every bit of activity you do and integrating it into a password manager is not one of those times.<\/p>\n\n\n\n I could go on a very long rant about just how scummy Internet advertising is as an industry (well, advertising in general, really), but Bill Hicks summed it up way better than I ever could. (CW: suicide)<\/p>\n\n\n\n