Remove Trackers from Bitwarden

Feature name

  • Remove Embedded Trackers from Bitwarden

Feature function

Increase the security of Bitwarden and make users less worried about data being collected inside a high security app.

Related topics + references

Currently, according to an article on “The Register”, Bitwarden has two embedded trackers that send back data, “Google Firebase analytics” and “Microsoft Visual Studio crash reporting”. While the reason for these trackers may be benign, considering other apps in the category do not have these trackers, it does make you reconsider how safe the application is, especially after LastPass was caught with several trackers.

I believe the removal of these trackers would be a good way to reassure users of the app that there is no fishy business with data collection on users.

The Original Article Link

Edit: Update link

Q: What third-party services, libraries or identifiers are used?

A: In the Mobile apps, Firebase Cloud Messaging (often mistaken for a tracker) is used only for push notifications related to sync and performs absolutely no tracking functions. Microsoft Visual Studio App Center is used for crash reporting on a range of mobile devices. In the Web Vault, Stripe and PayPal scripts are used for payment processing only on payment pages.

For those who prefer to exclude all 3rd party communication, Firebase and HockeyApp are removed completely from the F-Droid build. Additionally, Turning off push notifications on a self-hosted Bitwarden server will disable using the push relay server.

Bitwarden takes user security and privacy seriously. Bitwarden maintains secure, end-to-end encryption with zero knowledge of your encryption key. As a company focused on open source, we invite anyone to review our library implementations at any time on GitHub.
Security FAQs | Bitwarden Help & Support

3 Likes

Q: Can I download Bitwarden on F-Droid? I cannot find it.

A: Yes, by adding our official private repo which removes all non-approved libraries: ​https://mobileapp.bitwarden.com/fdroid/

Unfortunately, F-Droid can not compile our app from source as it is based on Xamarin and it is not supported by F-Droid’s current compiler methods, so we must use a separate repo.

https://bitwarden.com/help/article/product-faqs/#q-can-i-download-bitwarden-on-f-droid-i-cannot-find-it

1 Like

Here is Exodus Privacy’s report that shows those 2 trackers in Bitwarden app for Android:
https://reports.exodus-privacy.eu.org/fr/reports/com.x8bit.bitwarden/latest/

1 Like

Here are two feature request requesting that Bitwarden switch from Google Analytics to other open-source analytics. But I think this only applies to the website, not the Android app.

As I said, you can always download Bitwarden without trackers from F-droid.:wink:

1 Like

The google analytics are only used on the website, not in the mobile apps/web vault/extensions.

1 Like

That’s recent then; because my bitwarden browser extension used to have google analytics integration and was sending every interaction to Google. Every installation I had to go to the settings and turn Google Analytics off. (Chrome extension)

As I said, you can always download Bitwarden without trackers from F-droid.

I think it should be privacy by default; not as “opt-in”.
Users of Bitwarden should not have to worry about the usage of third party trackers.

3 Likes

In the news today indeed because of LastPass. Would be great if Bitwarden could get rid of the last two trackers:

2 Likes

Thanks all for the feedback!

It’s very important to note that none of these are tracking any user-data, they’re simply allowing push notifications and crash reporting :slight_smile:

6 Likes

Do you know how 1password handles these? They’re listed with 0 trackers.

Also, maybe worth a try to ask sites like Exodus for a way to communicate this?
https://reports.exodus-privacy.eu.org/en/reports/com.x8bit.bitwarden/latest/

1 Like

Ironically, I was in the process of trialling BitWarden, as a potential migration from LastPass, as part of a general drive to improve privacy.

Any trackers make me doubt the provider’s commitment to privacy, especially when Google is involved - can you be certain of what these trackers are doing? Do you compile their code into BitWarden, and if so, are changes to their code monitored?

4 Likes

Entirely reasonable uses for both.

Its also important to note that the logic used by exodus to detect ‘tracker’ is flawed…

Detection rule (network):firebase\.com

That’s not detecting only analytical tracking… its also detecting FCM which is not the same thing.

1 Like

I don’t worry about them.

This “revelation” is not new, it has been discussed before (including in Vault Hours yesterday). Security FAQs | Bitwarden Help & Support is available for anyone to read.

Anyone who wishes to do so can see what information is being sent to (and from) Bitwarden. They also explain how those who do not wish them to be running can avoid these “trackers”, including in Vault Hours yesterday.

1 Like

Before Bitwarden I used 1Password. I moved to Bitwarden for being reasonably cheaper on the premium membership ($10 is reasonably better than $36).

With the article on TheVerge and the additional links here I already considered going back to 1Password.

I see the FUD is working. You should do some proper research before drinking the koolaid. 1Password is a fine service that I’ve heard many good things about. But switching products in a knee-jerk reaction because of a few sensationalist articles is a bit excitable.

The term “tracker” is incorrectly used in this case. The services in question can be used as trackers, but Bitwarden is not using them that way. They are core services of the Android ecosystem. I’ve blocked some of these in the past because they showed up as “trackers” and it broke my phone. System updates stopped working and many other issues.

3 Likes

Bitwarden provides you the option to download the version with now trackers from F-droid. Why switch?
Bitwarden is audited and most importantly open source. The premium plan is cheap as well. New features like the Send feature is coming, which I think other password managers don’t have.

1 Like

Even anti-privacy large corps allow one to opt-out of things like “crash reporting.” Default opt-in reporting is going to give BW more taint than any win they think they’re getting.

Just display the checkboxes on start, default to checked. Let the people who care care.

Crash reporting can potentially reveal more information. Maybe most of the time its no big deal. But what’s to say some data in memory wasn’t logged accidentally in crash data? Also crash reporting tool’s I’ve used could have log information sent back. I’d just feel more comfortable having any logging removed in this type of app, just to be safe.

Also, if Bitwarden is using Microsoft crash reporter tools, then we have to not only trust Bitwarden devs, we also have to trust Microsoft crash reporting tools. Crash reporting in dev versions is cool, not in production.

I know we’re all making a huge deal over this now, but a user’s expectation with a “secret codes” type app, is that it takes all precautions and nothing is opt-out.

1 Like