LastPass, The Mobile App Review

For me, it isn’t even about the paranoia.

Sure, that’s a part of it, but mostly it’s because my memory sucks.

Like most of us, I have more online accounts than I have fingers and toes, and they all require a login name and password. For security reasons, these passwords should all be different, but to my shame (and even through my information security classes) I did my level best to keep them all the same.  I just couldn’t remember 20+ different passwords. Worse, I failed. Each site had different requirements for login and password security, which meant that I was juggling five to six password variants: neither secure nor memorable.

LastPass solves all those problems.

The program, which is a cloud storage system linked to your computer through a browser plug-in or mobile app, encrypts and decrypts all information on your device before it is sent to the server side. This means that LastPass never has any of plaintext information, so even if their systems were compromised, your data is still safe, so long as your master password (The Last Password You’ll Ever Need, as they say) remains sufficiently complex.

Okay, that’s LastPass, for those interested in further technical details of the system; I refer you to Steve Gibson’s and Leo Laporte’s excellent “Security Now” show on the subject.

I’ve been a LastPass user for three months, but just picked up the mobile app last week. I had some concerns about it, like “what if I lose my phone?” would my LastPass vault be available to whoever finds it? Or steals it? Also, how much would I actually use it? I don’t do a lot of shopping or other password requiring tasks on my phone. And finally, the Smartphone app requires a “premium” LastPass membership which costs a whopping $12 a year! Not much, but it seems like a lot compared to the sea of free or $0.99 apps out there.

I now have a new personal record for “amount I paid for an app.” I bought two years for $24 bucks, figuring “hey, even if the app sucks… the company rocks and deserves my monetary support.”

So, does the app suck? No. Is it the best thing since sliced bread? Also “no.”

Basically, the LastPass app is simply a lightweight web-browser with the functionality of the LastPass Safari plug-in. Now this does work, I was just hoping for a fuller integration with the other password using applications. After doing some research, I realize that this is “very difficult” (much like cold fusion) due to Apple’s hardware security model and unnecessary (more later), so I can’t really give them too much guff for that. The one thing that could be improved, however, is the instructions. Having some for instance, would be really nice.

After a few days of experimentation, I found that there was indeed a setting to “Logoff on close.” The problem is that this only works when you “close” the app through the app manager (like you do when something crashes). A better option is the Log-off when Idle, which logs you out of your LastPass vault after 15 minutes.

If you are really worried about the passwords held by your phone’s apps, or the data on your phone, there are better solutions. Apple’s iPhone for instance, can be set with a strong unlock code–and to “brick” itself if the code is entered incorrectly ten times in a row (recoverable by the owner with an iTunes backup) and similar systems are available for Android, Symbian, Windows Mobile and Blackberry offerings. Where LastPass mobile really shines, in my opinion, is in the world of mobile websites.

I actually use the LastPass app a LOT. Not to check my email or twitter, but to check my bank balance or MyUW account. Or to access my library accounts, particularly the SPL one–where I download OverDrive audiobooks to my phone a good deal (see next week’s posts for more info on that).

As mobile websites grow in power and use, their security will become more and more important, and services like LastPass will become more central to our mobile experiences.

Hopefully a more secure and less confusing experience.