Russia’s largest internet company has embedded code in apps found on mobile devices that allows information about millions of users to be sent to servers in its home country.
The revelation concerns software created by Yandex that allows developers to create apps for devices running Apple’s iOS and Google’s Android, systems that run the vast majority of the world’s smartphones.
Yandex collects user data collected on mobiles, before sending the information to servers in Russia. The researchers raised concerns that the same “metadata” could then be accessed by the Kremlin and used to track people through their cellphones.
Researcher Zach Edwards discovered Yandex’s code as part of an application audit campaign for Me2B Alliance, a non-profit organization. Four independent experts conducted tests for the Financial Times to verify his work.
Yandex acknowledged that its software collects “device, network and IP address” information that is stored “both in Finland and Russia”, but it called this data “non-personalized and very limited. “. He added: “While theoretically possible, in practice it is extremely difficult to identify users solely based on the information collected. Yandex certainly cannot do this.
The revelations come at a critical time for Yandex, often referred to as “Russia’s Google,” which has long tried to chart an independent course without falling foul of Russian President Vladimir Putin’s desire for greater control of the internet.
The company said it followed a “very strict” internal process when dealing with governments: “Any request that does not meet all relevant procedural and legal requirements is rejected.”
But Cher Scarlett, formerly Apple’s senior global security software engineer, said that once user information is collected from Russian servers, Yandex may be required to submit it to the government under local laws. Other experts said metadata of the type collected by Yandex could be used to identify users.
Ron Wyden, chairman of the US Senate Finance Committee and one of the architects of US internet regulation, has sharply criticized Google and Apple for not doing enough to secure smartphones from Yandex software, which found its way to 52,000 apps reaching hundreds of millions of consumers.
“These apps extract private and sensitive data from apps on your phone, threatening US national security and the privacy of Americans and others around the world,” he said.
Yandex is considered a global technology giant and is listed on the New York Stock Exchange and majority-owned by US funds. It is incorporated in Amsterdam and the founder Arkady Volozh lives in Israel. In 2019, the company reached an agreement with the Russian government, codifying a structure that ensures that Moscow can intervene on certain issues such as foreign acquisitions without control of day-to-day operations.
The invasion of Ukraine has shattered its international ambitions, dented its stock price and cut ties with some Western partners. The company’s chief executive, Tigran Khudaverdyan, resigned last week after being targeted by European sanctions aimed at hitting the assets of businessmen considered close to the Kremlin.
Yandex offers software in the form of a software development kit, or SDK, called “AppMetrica”. SDKs are building blocks used by developers to create applications. The Google Maps SDK, for example, allows applications to integrate mapping functions rather than building this functionality from scratch. Many SDKs are offered “for free” in exchange for access to user data that facilitates targeted advertising.
Among the apps that AppMetrica is installed on are games, messaging apps, location sharing tools, and hundreds of virtual private networks, tools designed to allow users to browse the web without being tracked. Seven of the VPNs are designed specifically for Ukrainian audiences. The total number of app installs that include the AppMetrica SDK is in the hundreds of millions, according to Appfigures, an app intelligence group.
“The AppMetrica SDK claims to provide proper services, while phoning Moscow with deeply invasive metadata details that can be used to track people across websites and apps,” said Edwards, the researcher.
“For people with a high threat profile or in high-level positions, using apps that send this data to Moscow is dangerous and can potentially lead to attacks on home networks or other forms of digital monitoring.
Senator Wyden added, “Apple and Google argue that their near-monopoly control over their app stores is necessary to keep consumers safe. Every day that apps built from the Russian Yandex SDK remain in these stores is further proof that the consumer security they claim to offer is an illusion.
Yandex defended the use of its SDK, saying it “works the same as its international counterparts,” including Google Firebase, which is present in more than 2 million Android apps. The company said it only collects data after the app receives consent from users through the Android and iOS apps. “We inform developers about the operation of AppMetrica and they are obligated, if required by law, to obtain consent from their users,” Yandex added.
The company also said, “We have never provided user information to applications that have AppMetrica installed, nor have we been asked to do so.”
Similarly, Apple said AppMetrica cannot access user data indiscriminately because the SDK requires consent.
Patrick Jackson, chief technology officer at Disconnect, a developer of digital privacy tools, explains that the reason SDKs can pose a risk is precisely because they don’t ask for permission. Instead, they “rely on the permissions you, the user, have granted to the app,” he said.
Google acknowledged it still had work to do to provide transparency for users about the SDKs used to build apps and said it would investigate based on the findings presented by the FT.
Some app developers started removing AppMetrica from their apps after Russia invaded Ukraine. “We made the decision to stop using Russian-owned services when the war started,” said a spokesperson for Gismart, which makes dozens of games with AppMetrica installed.
Opera, a popular web browser with a built-in VPN, also said it disabled the SDK starting Feb. 15, “in preparation for its complete removal.” He didn’t give a reason other than to say “we’ve moved to our own ad platform.”
Conversely, more than 2,000 apps have added the AppMetrica SDK since the invasion of Ukraine, several of which appear designed to track Ukrainian users.
“Call Ukraine”, for example, is a “free messenger for Ukrainians” that launched on the Play Store on March 10 using the blue and yellow flag as its icon. Once downloaded, the app can see a user’s identity and read their contacts. The developer includes a dummy email address: “email@example.com”.
Cher Scarlett said it was concerning that AppMetrica was installed in 21 VPN apps in the last 30 days. “You’re trying to be proactive to be safer,” she added, “but you’re actually making yourself more vulnerable.”
Letter in response to this article:
Yandex’s AppMetrica performs like its global peers / De Rogier Rijnja, Board Member, Yandex, Amsterdam, The Netherlands