Lastpass tracks you. . . Not even surprised

Do all password apps contain such trackers? Not according to Exodus. 1Password has none. KeePass has none. The open-source Bitwarden has two for Google Firebase analytics and Microsoft Visual Studio crash reporting. Dashlane has four. LastPass does appear to have more than its rivals. And yes, lots of smartphone apps have trackers: today, we’re talking about LastPass.

Password managers are essential for most users since the number of passwords to be managed exceeds our ability to remember them, and the complex passwords needed for security are particularly hard to memorise. Using the same password across multiple services is poor practice because it increases the impact if a password is stolen or inadvertently disclosed.

4 Likes

Maybe not directly related, but LastPass is having other issues since being sold to a private equity firm. Surprise, surprise.

1 Like

Bitwarden does too? I guess in what sense? I’m pretty anti-Google, but not sure how much of ‘me’ it will get from this, or what is being sent/used.

1 Like

Yup, it does… i’ve never used Bitwarden, since I adopted Keepass(XC) for over 5yrs now and it does all I need for it to do and is completely open source as well. I really have no need/desire to move to another and since I super skeptical I definitely won’t be trying any other.

BitWarden:

Q: What third-party services, libraries or identifiers are used?

A: In the Mobile apps, Firebase Cloud Messaging (often mistaken for a tracker) is used only for push notifications related to sync and performs absolutely no tracking functions. Microsoft Visual Studio App Center is used for crash reporting on a range of mobile devices. In the Web Vault, Stripe and PayPal scripts are used for payment processing only on payment pages.

For those who prefer to exclude all 3rd party communication, Firebase and HockeyApp are removed completely from the F-Droid build. Additionally, Turning off push notifications on a self-hosted Bitwarden server will disable using the push relay server.

Bitwarden takes user security and privacy seriously. Bitwarden maintains secure, end-to-end encryption with zero knowledge of your encryption key. As a company focused on open source, we invite anyone to review our library implementations at any time on GitHub."

https://bitwarden.com/help/article/security-faqs/#q-what-third-party-services-libraries-or-identifiers-are-used

Exodus:

"We have found code signature of the following trackers in the application:
Google Firebase Analytics
(analytics)

Microsoft Visual Studio App Center Crashes
(crash reporting )"

https://reports.exodus-privacy.eu.org/en/reports/com.x8bit.bitwarden/latest/

Exodus on Google Firebase Analytics detection:

“Code detection rule: com.google.firebase.analytics. | com.google.android.gms.measurement.
Network detection rule: firebase\.com”

https://reports.exodus-privacy.eu.org/fr/trackers/49/

If Firebase was picked up via their network detection rule, it’d include non-analytics Firebase services. It’d be similar to comparing a Website using Google Analytics to one using Google Fonts. edit: This appears to be the case, see: next post.

Exodus on Microsoft Visual Studio App Center Crashes detection:

“Code detection rule: com.microsoft.appcenter.crashes
Network detection rule: NC”

https://reports.exodus-privacy.eu.org/en/trackers/238/

A user on their forum made a good point that most software usually has at least an opt out for enabling crash reporting.

Bitwarden on F-Droid:

“For those who prefer to exclude all 3rd party communication” - BitWarden

https://mobileapp.bitwarden.com/fdroid/

3 Likes

Below is every line that includes the case-insensitive word “firebase” in the BitWarden app.

It’d appear Exodus matched their “Network detection rule” for BitWarden using Firebase but there’s no matching on the “Code detection rule” related to Firebase analytics.

Code detection rule: com.google.firebase.analytics. | com.google.android.gms.measurement.
Network detection rule: firebase\.com

/mobile-master/src/Android/Android.csproj

<PackageReference Include="Xamarin.Firebase.Messaging">
<Compile Include="Push\FirebaseInstanceIdService.cs" />
<Compile Include="Push\FirebaseMessagingService.cs" />

/mobile-master/src/Android/ci-build-apks.ps1

$firebaseReceiver1=$xml.SelectSingleNode(`
    "/manifest/application/receiver[@android:name='com.google.firebase.iid.FirebaseInstanceIdInternalReceiver']", `
    $nsAndroid);
$firebaseReceiver1.ParentNode.RemoveChild($firebaseReceiver1);
$firebaseReceiver2=$xml.SelectSingleNode(`
    "/manifest/application/receiver[@android:name='com.google.firebase.iid.FirebaseInstanceIdReceiver']", `
    $nsAndroid);
$firebaseReceiver2.ParentNode.RemoveChild($firebaseReceiver2);
$firebaseNode=$xml.SelectSingleNode(`
    "/ns:Project/ns:ItemGroup/ns:PackageReference[@Include='Xamarin.Firebase.Messaging']", $ns);
$firebaseNode.ParentNode.RemoveChild($firebaseNode);

/mobile-master/src/Android/google-services.json

"firebase_url": "https://bitwarden-dev.firebaseio.com",

/mobile-master/src/Android/Properties/AndroidManifest.xml

<receiver android:name="com.google.firebase.iid.FirebaseInstanceIdInternalReceiver" android:exported="false"/>
<receiver android:name="com.google.firebase.iid.FirebaseInstanceIdReceiver" android:exported="true" android:permission="com.google.android.c2dm.permission.SEND">

/mobile-master/src/Android/Push/FirebaseInstanceIdService.cs

[IntentFilter(new[] { "com.google.firebase.INSTANCE_ID_EVENT" })]
    public class FirebaseInstanceIdService : Firebase.Iid.FirebaseInstanceIdService
await storageService.SaveAsync(Constants.PushRegisteredTokenKey, FirebaseInstanceId.Instance.Token);

/mobile-master/src/Android/Push/FirebaseMessagingService.cs

[IntentFilter(new[] { "com.google.firebase.MESSAGING_EVENT" })]
public class FirebaseMessagingService : Firebase.Messaging.FirebaseMessagingService

/mobile-master/src/Core/Resources/public_suffix_list.dat

// Firebase, Inc.
// Submitted by Chris Raynor <chris@firebase.com>
firebaseapp.com

/mobile-master/store/fdroid/index.html

Since the Bitwarden F-Droid build does not include Firebase Messaging,
push notifications for live sync updates of your vault will not work.
Manual vault syncing is required.
5 Likes

This run-through the code is very useful. Thank you :slight_smile: