Recently, 9to5mac reported that Russian search engine Yandex is sending user data collected from millions of iOS/ Android app users to Russia. At first sight, there is nothing odd with this info. But the thing is the company is doing this regardless of whether you use the company’s application or not. Laws there could compel the company to make the data available to the Russian government.
User data can be obtained from a range of third-party applications using developer tools created by Yandex. Developers earn money by using Yandex API AppMetrica to get analytics data for their apps, and companies get user data in return. This is how it works.
The Financial Times said a security researcher found code sending data to Russia and said it had independently verified the claim. Yandex analytics code is embedded in 52,000 apps of Apple and Google software.
“Russia’s biggest internet company has embedded code into apps found on mobile devices that allows information about millions of users to be sent to servers located in its home country […]
Researcher Zach Edwards first made the discovery regarding Yandex’s code as part of an app auditing campaign for Me2B Alliance, a non-profit. Four independent experts ran tests for the Financial Times to verify his work.”
Yandex Doesn’t Deny That It Is Sending User Data To Third-party Companies
Yandex admitted that it collected data and sent it to servers in Russia, but claimed it was “extremely difficult to identify users” from the information it compiled. However, experts disagree.
“Cher Scarlett, formerly a principal software engineer in global security at Apple, said once user information was collected on Russian servers, Yandex could be obliged to submit it to the government under local laws. Other experts said that the metadata of the sort collected by Yandex could be used to identify users.”
The security and privacy implications could be huge.
“Among the apps with AppMetrica installed are games, messaging apps, location-sharing tools and hundreds of virtual private networks tools designed to allow people to browse the web without being tracked. Seven of the VPNs are made specifically for a Ukrainian audience. Total installs of apps that include the AppMetrica SDK are in the hundreds of millions, according to Appfigures, an app intelligence group.”
In fact, we have already met such a case related to Apple’s App Tracking Transparency privacy requirements. As you should know, a large amount of innocuous-sounding data can be combined into digital signatures that can be tied to personal devices. The same approach used by websites can be used by app APIs.