Dec 1, 2011

Your LastPass account is safe on Carrier IQ enabled mobile devices

When we read what Trevor Eckard found regarding logging being done by an application installed by default on a number of HTC and Samsung based Android phones, we were concerned about just how far this Carrier IQ keyboard logging went.

We had to know if any of our users were at risk, so we could alert them to any danger. We replicated Trevor's findings, which he explained in his post on AndroidSecurityTest.com (the site seems to be intermittently down):  http://androidsecuritytest.com/features/logs-and-services/loggers/carrieriq/

He also posted a YouTube video, now making it's way through the media, showing his tests:



We saw the same log entries Trevor saw when dialing phone numbers, and receiving SMS, so that is confirmed.

We did not see any log entires when using the general keyboard though, including when typing into our LastPass for Android app and our LastPass for Dolphin HD app.   The LastPass pin code entry does not utilize the phone keyboard so that is safe as well.

This is very good news as your LastPass account - and most importantly, your master password - is safe on your Android phone even if Carrier IQ installed.

Please note that utilizing a multi-factor authentication device like Google Authenticator with your LastPass account would protect you even if an application was logging keyboard events, so it's highly recommended.

We'll continue to monitor the situation and assess potential risks to LastPass users.

The LastPass Team