I looked at the LastPass ones (all for Android) and they look relatively minor. The only real wtf is https://team-sik.org/sik-2016-022/ - hardcoding keys should be a big nope. Still, it happens only if you use a PIN rather than your master password; I hope this does not happen in iOS if you use TouchID...?
I have such a strong password that typing it repeatedly on a mobile device isn't doable. And so I use PINs or fingerprints, depending on device. I find this acceptable because I worry less about physical access to my device, versus somebody gaining access to my encrypted database, which is also stored on Dropbox.
But I still expect that storing the master password locally is secure, otherwise why the fuck am I paying them for?
Speaking of LastPass, I've noticed them doing stupid things like this in the past and the problem is that I feel those bugs wouldn't have been discovered and made public if they weren't so popular. And I expect such a company to take security seriously, because this is what they sell. Hard-coding a symmetric encryption key isn't a minor slip up, this is the kind of mistake that I for one couldn't do, even though I'm no security expert. If they could do such an obvious mistake, then I can't trust them, regardless of their response time.
