|

Αποφύγετε το LastPass, λόγω της ενσωμάτωσης web trackers σε αυτό

 

Λίγες ημέρες μετά την ανακοίνωση της περιορισμένης λειτουργικότητας στην δωρεάν της έκδοση - η γνωστή εφαρμογή διαχείρισης password, LastPass- βρίσκεται στο στόχαστρο για την ύπαρξη 7 web trackers στην εφαρμογή για Android.

Αναλυτικά η έκθεση αναφέρει:

LastPass Android: Third-party providers monitor every step

LastPass is a widely used password manager. The app has over 10 million installations in the Google Play Store alone. With Exodus Privacy , I briefly checked whether the app contains known tracker signatures. A total of seven trackers were found :

AppsFlyer
Google Analytics
Google CrashLytics
Google Firebase Analytics
Google Tag Manager
MixPanel
segment

For an app that processes extremely sensitive data (passwords), this is simply an indictment. Advertising and analytics modules simply have no place in this - it is completely out of the question to integrate them into password manager apps. Or to put it in general terms: no proprietary and non-transparent third-party code may be integrated into apps in which sensitive data is processed . Which data these modules collect and transmit to the third-party providers is sometimes not even known to the app developers themselves, who integrate these modules into their apps.

Even if the result of Exodus Privacy suggests, only an analysis of the network traffic is really meaningful. With Exodus Privacy we can only say: Yes, the corresponding tracking code or the tracker is available. With Exodus Privacy, however, no statement can be made as to whether this is actively tracking - the app must be checked manually for this.

Below I've done this with the Android version of LastPass (version 4.11.18.6150). The results are shortened to relevant events.

App start: Immediately after the start (no user interaction)

[1] Immediately after starting the app, it contacts almost all tracking providers that Exodus Privacy discovered during its analysis:

Google Firebase Analytics (firebaseinstallations.googleapis.com)
Segment (cdn-settings.segment.com)
Google CrashLytics (firebase-settings.crashlytics.com)
AppsFlyer (inapps.appsflyer.com)
Mixpanel (api.mixpanel.com)
Google Analytics (ssl.google-analytics.com)

In tracker bingo someone would probably call out:

The user is not even asked whether he or she agrees to the data transfer to the third party provider.

Ο αναλυτής Mike Kuketz, συστήνει στους χρήστες να μεταφερθούν σε κάποιον άλλο password manager.

[via]