In the latest version of the Lastpass application, version 6.21.0.11584, a report revealed the presence of 4 trackers and 29 permissions, raising concerns about user confidentiality and safety. The report, generated on December 12, 2024, identified the following trackers being used by the application:
- Google Crashlytics – a tool for logging crashes;
- Google Firebase Analytics – an analytics service;
- pendo – an analytics service;
- segment – an analytics and profiling platform.
Trackers are software components designed to gather data on users and their activities, which can be worrisome, especially if the data collection process is not transparent.
Furthermore, the application requests 29 permissions, some of which include:
- Access_NETWORK_STATE – access to network connections;
- Record_Audio – ability to record audio;
- system_alert_window – capability to display over other applications;
- us_biometric and use_fingerprint – access to biometric hardware;
- nfc – management of NFC functionality;
- post_notifications – sending notifications;
- query_all_packages – access to data on all installed applications.
Some permissions classified as “dangerous” or “special” by Google’s protection system indicate potential access to critical device functions, warranting heightened scrutiny due to possible privacy implications.
It is crucial to note that the report was based on a static analysis of the APK file, which does not guarantee the actual behavior of trackers within the application. Additionally, there may be unidentified trackers present in the app. The absence of X.509 certification data could serve as another red flag necessitating a security assessment.
Users with privacy concerns are advised to explore alternative applications. If uncertainties persist, reaching out to the developer for more information is recommended.