Wonderful article. Even we were working on the similar issue. One way could be, instead of using Symmetric key (probably stored in the browser - hence not safe) to encrypt passwords before sending to LastPass server, they could have used Asymmetric crypto system. Solution similar to this can be very helpfull in this case : https://www.youtube.com/watch?v=Slhwunm4oT0&feature=youtu.be Notice the private key never leaves the mobile device and hence the client does not has to trust on LastPass browser client.