Russia's Yandex is harvesting data from millions of Android and iOS users, report

Russia's Yandex is harvesting data from millions of Android and iOS users, report

Image:
Russia's Yandex is harvesting data from millions of Android and iOS users, report

The company's analytics code is included in about 52,000 apps on Apple and Google app stores

Russian search engine company Yandex is harvesting data from millions of Android and iOS app users and sending it to Russia, a new report from the Financial Times has claimed.

Yandex is regarded as Russia's answer to Google. The firm is listed on the New York Stock Exchange and offers a variety of services, including search engine and advertising tools.

Thousands of apps with millions of customers use the Yandex SDK which is capable of collecting user data from iPhone and Android devices.

Researcher Zach Edwards was the first to discover Yandex's data collection practices, finding that the company's analytics code is included in no fewer than 52,000 apps on Apple and Google stores.

Edwards was participating in an app auditing campaign for Me2B Alliance when he examined Yandex code.

The FT says it has independently verified the claims made by Edward. The report says Yandex offers a tracking tool in the form of a software development kit (SDK), called AppMetrica, that assists users in building applications.

Games, messaging services, virtual private network (VPN) software and location-sharing tools are among the apps that utilise the AppMetrica API.

Seven of the VPNs identified by the researchers are specifically targeted towards Ukrainians, and the total number of downloads of apps that use the API is in the hundreds of millions.

Yandex acknowledges that it gathers data and sends it to Russian servers, and that it is theoretically feasible to identify individuals based on iPhone and Android data.

However, it said that identifying users from the data is extremely difficult and that "Yandex definitely cannot do this."

The company added that the metadata information is "very limited" and non-personalised.

Yandex defended its tool, comparing it to other firms' development kits, such as Google Firebase, which is used in over 2 million Android applications.

It went on to say that it obtains data from iPhone and Android devices only after an app has received the user's consent.

The company said that it has never provided any information on users of any applications having AppMetrica installed on them, nor have they been requested to do so.

Yandax has a "very strict" policy for dealing with government data requests, which includes rejecting any requests that don't meet "relevant procedural and legal standards," according to the company.

Security experts warn, however, that if data is held on servers in Russia, Yandex may be forced to share it with the Russian government agencies.

Patrick Jackson, chief technology officer at Disconnect, a developer of digital privacy tools, told the FT that SDKs may pose security risk as they don't ask for permission. Instead, they "piggyback on the permissions that you, the user, have given the app," he said.

Opera browser, game developer Gismart, and some VPNs are among developers who have started removing the Yandex SDK from their apps.

However, more than 2,000 apps have added the AppMetrica SDK since the beginning of Ukraine conflict.

They include free messaging software for Ukrainians, named "Called Ukraine," which can see the user's identification and read contacts.