Increase the security of Bitwarden and make users less worried about data being collected inside a high security app.
Related topics + references
Currently, according to an article on “The Register”, Bitwarden has two embedded trackers that send back data, “Google Firebase analytics” and “Microsoft Visual Studio crash reporting”. While the reason for these trackers may be benign, considering other apps in the category do not have these trackers, it does make you reconsider how safe the application is, especially after LastPass was caught with several trackers.
I believe the removal of these trackers would be a good way to reassure users of the app that there is no fishy business with data collection on users.
Q: What third-party services, libraries or identifiers are used?
A: In the Mobile apps, Firebase Cloud Messaging (often mistaken for a tracker) is used only for push notifications related to sync and performs absolutely no tracking functions. Microsoft Visual Studio App Center is used for crash reporting on a range of mobile devices. In the Web Vault, Stripe and PayPal scripts are used for payment processing only on payment pages.
For those who prefer to exclude all 3rd party communication, Firebase and HockeyApp are removed completely from the F-Droid build. Additionally, Turning off push notifications on a self-hosted Bitwarden server will disable using the push relay server.
Bitwarden takes user security and privacy seriously. Bitwarden maintains secure, end-to-end encryption with zero knowledge of your encryption key. As a company focused on open source, we invite anyone to review our library implementations at any time on GitHub. Security FAQs | Bitwarden Help & Support
That’s recent then; because my bitwarden browser extension used to have google analytics integration and was sending every interaction to Google. Every installation I had to go to the settings and turn Google Analytics off. (Chrome extension)
Ironically, I was in the process of trialling BitWarden, as a potential migration from LastPass, as part of a general drive to improve privacy.
Any trackers make me doubt the provider’s commitment to privacy, especially when Google is involved - can you be certain of what these trackers are doing? Do you compile their code into BitWarden, and if so, are changes to their code monitored?
Anyone who wishes to do so can see what information is being sent to (and from) Bitwarden. They also explain how those who do not wish them to be running can avoid these “trackers”, including in Vault Hours yesterday.
I see the FUD is working. You should do some proper research before drinking the koolaid. 1Password is a fine service that I’ve heard many good things about. But switching products in a knee-jerk reaction because of a few sensationalist articles is a bit excitable.
The term “tracker” is incorrectly used in this case. The services in question can be used as trackers, but Bitwarden is not using them that way. They are core services of the Android ecosystem. I’ve blocked some of these in the past because they showed up as “trackers” and it broke my phone. System updates stopped working and many other issues.
Bitwarden provides you the option to download the version with now trackers from F-droid. Why switch?
Bitwarden is audited and most importantly open source. The premium plan is cheap as well. New features like the Send feature is coming, which I think other password managers don’t have.
Crash reporting can potentially reveal more information. Maybe most of the time its no big deal. But what’s to say some data in memory wasn’t logged accidentally in crash data? Also crash reporting tool’s I’ve used could have log information sent back. I’d just feel more comfortable having any logging removed in this type of app, just to be safe.
Also, if Bitwarden is using Microsoft crash reporter tools, then we have to not only trust Bitwarden devs, we also have to trust Microsoft crash reporting tools. Crash reporting in dev versions is cool, not in production.
I know we’re all making a huge deal over this now, but a user’s expectation with a “secret codes” type app, is that it takes all precautions and nothing is opt-out.