LastPass Password Manager 4.1.10 (iOS / App Store)

175x175bb (20)

This application is available for iOS. This app is designed to be a powerful password manager developed by LastPass. The latest build was released on Jul 05, 2017. Our latest check was performed on Oct 7th, 2016.

Findings Summary

Our examination revealed total 17 items, where were 9 DAR items and 8 DIT items found. Among DAR items were found 0 worst items, 6 bad items, 2 good items, and 1 best item. Among DIT items were found 0 worst items, 7 bad items, 1 good item, and 0 best items.

Below you find 3 infographics summarizing what we described above. Each image provides information about both DAR and DIT items.

 

This slideshow requires JavaScript.


Everything presented below is related to well-known CWEs, such as Sensitive data leakage [CWE-200], Unsafe sensitive data storage [CWE-312], Unsafe sensitive data transmission [CWE-319]. You can read more about it here.

Now let’s go deeper and examine each data item’s protection level.

 

Application Description

Let’s cite the description of this application below:

LastPass simplifies your digital life. From your LastPass Vault, you can store passwords and logins, create online shopping profiles, generate strong passwords, track personal information in photo and audio notes, and more. All you have to do is remember your LastPass master password, and LastPass autofills web browser and app logins for you.
Get started today for free and join the millions managing passwords with LastPass — you’ll wonder how you lived without it!
NEW TO LASTPASS?
Download LastPass now and get started, completely free. You can use LastPass across all your devices, including phones, tablets, and personal computers, for free.
LASTPASS PASSWORD MANAGER FEATURES:
AIRTIGHT PASSWORD STORAGE

  • Store all your usernames and passwords for all of your online accounts securely in your LastPass Vault
  • Sync all of your passwords and logins across all your devices for free
  • Anything you save on one device is instantly available on any other device you use
  • Use TouchID to access your Vault

AUTOMATICALLY FILL IN FORMS ONLINE

  • Automatically fill in your name, address, credit card info with Form Fill
  • Instantly log in to websites using saved passwords and TouchID

GENERATE PASSWORDS

  • Create secure passwords using the built-in password generator
  • Set custom password parameters like length, capital or lowercase letters, symbols and numbers
  • Set passwords to be pronounceable

ADVANCED SECURITY PROTECTION

  • AES-256 bit encryption keeps your passwords and notes safe
  • LastPass never has your encryption key – only you know your password
  • Optional PIN code, TouchID, and offline options
  • Get notified about important security issues and risks when they happen
  • Multifactor authentication

ORGANIZE AND SHARE PASSWORDS

  • Organize sites by folders in your Vault
  • Safely and conveniently share passwords with others
  • Log in to Safari, Firefox, and Chrome extensions on your personal computer

EMERGENCY ACCESS

  • Plan ahead and give trusted family or friends a way to access your Vault in case of an emergency
  • Accept or decline Emergency Access requests to your Vault

LASTPASS ENTERPRISE CREATED SPECIALLY FOR BUSINESSES
Business owners can download LastPass to secure their business and share passwords safely among employees.

  • Add and remove employee accounts from the Admin Console
  • Simple, secure sharing and storage of passwords among team members
  • Configure security policies to restrict access and set requirements
  • Active Directory integration for automated user provisioning
  • Learn more at https://lastpass.com/enterprise

With LastPass, your passwords are safely stored and accessible across all your devices. Use LastPass for password protection, document storage, or workplace security. Our Vault can handle it all.
Download LastPass today!

 

Protection levels.

Locally stored data (Data-at-Rest, DAR).

Locally stored data groups include Media Information, Credentials Information, Application Information, Analytics ‘n’ Ads Information, Application BaaS Information.
The average DAR value is 4.61 points (7.00 points of system protection and 2.22 points of own protection). It is higher than a typical value (3.5 points, where’s 7 points of system protection and 0 points of own protection).

Items’ GROUP #1 with average value 6.50 points (7 points of system protection, 6 points of own protection) means data protection levels have following definitions. Frankly talking, protection and privacy issues are still possible but might involve interaction with an app code where system protection level means – root/jailbreak is required but not possible without wiping device data, and own protection level means – data is not available in backups.

– Screen Snapshots (‘Media Information’ Group) – Screenshots of your device screen running certain apps; common as an iOS app multitasking feature (app swipes) or browser tab swipes. This data item related to mentioned group meant to be any data like photo, image, video, audio,

– Credentials Sync Data (‘Credentials Information’ Group) – Information about your credentials including credentials plus additional info about linked services. This data item related to mentioned group meant to be any types of credentials including basic (IDs only), passwords, tokens, etc.

Items’ GROUP #2 with average value 3.50 points (7 points of system protection, 0 points of own protection) means data protection levels have following definitions. Frankly talking, extra data found that shouldn’t be accessed where system protection level means – root/jailbreak is required but not possible without wiping device data, and own protection level means – stored as is.

– Credentials (IDs) (‘Credentials Information’ Group) – Only account IDs like app or 3rd party user IDs including emails, phone number, usernames, etc. (depends on apps). This data item related to mentioned group meant to be any types of credentials including basic (IDs only), passwords, tokens, etc.,

– Application Configs (‘Application Information’ Group) – Different configuration files created by your app, perhaps app permissions. This data item related to mentioned group meant to be any info related to the app, app settings, including installed apps or installers,

– Application Events (‘Analytics ‘n’ Ads Information’ Group) – App events referred to user actions ‘n’ activities were done. This data item related to mentioned group meant to be any info related to analytics services like Flurry, Google Analytics, etc. or advertisements,

– Device Data (‘Analytics ‘n’ Ads Information’ Group) – Device ID, Device Name, Device OS Name and Version, and jailbroken/root status. This data item related to mentioned group meant to be any info related to analytics services like Flurry, Google Analytics, etc. or advertisements,

– Credentials (Tokens) (‘Application BaaS Information’ Group) – Different tokens used to get access to your account, except for passwords but including app or 3rd party tokens, secret keys, etc. (usually give full access to your account). This data item related to mentioned group meant to be any info related to baas (backend) app storage, such as files, credentials, configs, and so on,

– Credentials (IDs) (‘Application BaaS Information’ Group) – Only account IDs like app or 3rd party user IDs including emails, phone number, usernames, etc. (depends on apps). This data item related to mentioned group meant to be any info related to baas (backend) app storage, such as files, credentials, configs, and so on

Items’ GROUP #3 with average value 7.50 points (7 points of system protection, 8 points of own protection) means data protection levels have following definitions. Frankly talking, compliance but there are publicly known techniques to access the data including forensics one where system protection level means – root/jailbreak is required but not possible without wiping device data, and own protection level means – compliance encryption algorithms ‘n’ security mechanisms implementations.

– Credentials (App Passwords) (‘Credentials Information’ Group) – Apps based passwords or PINs you’re using to get access to some features of services per your account for some apps while two-factor authentication turned on (usually can’t use to your account). This data item related to mentioned group meant to be any types of credentials including basic (IDs only), passwords, tokens, etc.

Also, keep in mind, using jailbroken device means the system protection level is 0 points and you’re using out-of-date iOS < 8.3 the system protection level is 2 points. If some data marked as shareable via iTunes, then the system protection level is 4 points.

Transferred data (Data-in-Transit, DIT).

Transferred data groups include Log Information, Credentials Information, Analytics ‘n’ Ads Information, Personal ‘n’ Private Information.
The average DIT value is 4.75 points (5.00 points of system protection and 4.50 points of own protection). It is higher than a typical value (4 points, where’s 4 points of system protection and 4 points of own protection).

Items’ GROUP #1 with average value 4.50 points (5 points of system protection, 4 points of own protection) means data protection levels have following definitions. Frankly talking, data available if it’s allowed only and may require user action where system protection level means – some techniques are available to developers to keep connection bypassing system settings, like proxy settings, etc., and own protection level means – bypassed by fake/stolen root certificates.

– Application Configs (‘Log Information’ Group) – Different configuration files created by your app, perhaps app permissions. This data item related to mentioned group meant to be any information stored in local or network logs,

– Encryption Key (‘Credentials Information’ Group) – Encryption key found in app data folders, traffic or code of app used to protect your data. This data item related to mentioned group meant to be any types of credentials including basic (IDs only), passwords, tokens, etc.,

– Credentials (Tokens) (‘Credentials Information’ Group) – Different tokens used to get access to your account, except for passwords but including app or 3rd party tokens, secret keys, etc. (usually give full access to your account). This data item related to mentioned group meant to be any types of credentials including basic (IDs only), passwords, tokens, etc.,

– Credentials (IDs) (‘Credentials Information’ Group) – Only account IDs like app or 3rd party user IDs including emails, phone number, usernames, etc. (depends on apps). This data item related to mentioned group meant to be any types of credentials including basic (IDs only), passwords, tokens, etc.,

– Device Data (‘Analytics ‘n’ Ads Information’ Group) – Device ID, Device Name, Device OS Name and Version, and jailbroken/root status. This data item related to mentioned group meant to be any info related to analytics services like Flurry, Google Analytics, etc. or advertisements,

– Locale ‘n’ TimeZone (‘Analytics ‘n’ Ads Information’ Group) – Details about your locale, languages, time zone, country and so on. This data item related to mentioned group meant to be any info related to analytics services like Flurry, Google Analytics, etc. or advertisements,

– Personalized Autofill Data (‘Personal ‘n’ Private Information’ Group) – Typed data grabbed by application as part of autofill data but non-sensitive like word, phrases, names, addresses and so on. This data item related to mentioned group meant to be any personal and private info is not grabbed from the 3rd party social networks or your IDs

Items’ GROUP #2 with average value 6.50 points (5 points of system protection, 8 points of own protection) means data protection levels have following definitions. Frankly talking, protection and privacy issues are still possible but might involve interaction with an app code where system protection level means – some techniques are available to developers to keep connection bypassing system settings, like proxy settings, etc., and own protection level means – own vpn or own crypto but compliance.

– Credentials Sync Data (‘Credentials Information’ Group) – Information about your credentials including credentials plus additional info about linked services. This data item related to mentioned group meant to be any types of credentials including basic (IDs only), passwords, tokens, etc.

Keep in mind if you’re using out-of-date iOS < 9.0, the system level equals 2 points instead of 4. It means your data can be stolen without involving your actions.

Privacy Policy

Full application privacy policy is available here.