A report today says that ‘Russian Google’ Yandex is sending data harvested from millions of iOS app users to Russia – whether or not you use the company’s apps. Laws there could compel the company to make the data available to the Russian government.

Your data can be grabbed from a wide range of third-party apps which use a developer tool created by Yandex. Developers save time and money by using the Yandex API AppMetrica to obtain analytics data for their app, while the company gets user data in return …

The Financial Times says that a security researcher discovered the code which sends data to Russia, and that it has independently verified the claims.

Russia’s biggest internet company has embedded code into apps found on mobile devices that allows information about millions of users to be sent to servers located in its home country […]

Researcher Zach Edwards first made the discovery regarding Yandex’s code as part of an app auditing campaign for Me2B Alliance, a non-profit. Four independent experts ran tests for the Financial Times to verify his work.

Yandex admits that it collects the data and sends it to servers in Russia, but claims that it is ‘extremely hard to identify users’ from the information collated. However, experts disagree.

Cher Scarlett, formerly a principal software engineer in global security at Apple, said once user information was collected on Russian servers, Yandex could be obliged to submit it to the government under local laws. Other experts said that the metadata of the sort collected by Yandex could be used to identify users.

The security and privacy implications could be huge.

Among the apps with AppMetrica installed are games, messaging apps, location-sharing tools and hundreds of virtual private networks tools designed to allow people to browse the web without being tracked. Seven of the VPNs are made specifically for a Ukrainian audience. Total installs of apps that include the AppMetrica SDK are in the hundreds of millions, according to Appfigures, an app intelligence group.

We already know from attempts to circumvent Apple’s App Tracking Transparency privacy requirements that a vast range of innocuous-sounding data can be combined into digital signatures which can be tied to individual devices. The same approach used by websites can be used by app APIs.

Photo: ThisisEngineering RAEng/Unsplash

FTC: We use income earning auto affiliate links. More.


Check out 9to5Mac on YouTube for more Apple news:

You’re reading 9to5Mac — experts who break news about Apple and its surrounding ecosystem, day after day. Be sure to check out our homepage for all the latest news, and follow 9to5Mac on Twitter, Facebook, and LinkedIn to stay in the loop. Don’t know where to start? Check out our exclusive stories, reviews, how-tos, and subscribe to our YouTube channel

About the Author

Ben Lovejoy

Ben Lovejoy is a British technology writer and EU Editor for 9to5Mac. He’s known for his op-eds and diary pieces, exploring his experience of Apple products over time, for a more rounded review. He also writes fiction, with two technothriller novels, a couple of SF shorts and a rom-com!

Ben Lovejoy's favorite gear