The invasion of Ukraine by Russia sparked a major response from Western countries, including penalties against the aggressor that had never been seen before. In addition to government-imposed banking and trade restrictions, a number of corporations have delayed or abandoned their operations in Russia. The West’s scrutiny of Russian technology has also risen. One example is Kaspersky. Another is Yandex, which is collecting app data from millions of iPhone and Android users around the world.
What does Yandex do on iPhone and Android? If you think you’re unaffected because you don’t use Yandex apps or services on your iPhone or Android, you’re wrong. You don’t have to install a Yandex app for the company to harvest your data. Instead, all you have to do is get one of the thousands of apps that make use of Yandex’s SDK, and some of that data might be leaving your device regularly without your knowledge.
A new report indicates that thousands of apps with millions of customers include a Yandex SDK that can collect user data from iPhone and Android devices. The worry is that others can then use the data to track people. Yandex might also be required to share that information with the Russian government and its spy agencies. Tuesday’s deals: Kitchen essentials, $150 AirPods 3, $130 off iPad Air, Bose sale, more
The news comes from the Financial Times (via 9to5Mac), which reports that researcher Zach Edwards first discovered the data collection practices. Edwards analyzed the Yandex code while participating in an app auditing campaign for Me2B Alliance. Then four independent experts ran tests for The Times.
The findings would be troubling in regular times, given that Yandex can always be forced to work with the Russian government. But it’s all happening against the Ukrainian war backdrop, so those worries are exacerbated. The report says that some 52,000 apps with hundreds of millions of users include the Yandex SDK. That’s the AppMetrica software that helps users build applications. Like other SDKs out there, the Yandex tools might be available for free to customers. In turn, the developers have to share data user data.
Yandex confirmed that it collects device, network, and IP address information from iPhone and Android. This data is then stored on servers in Finland and Russia. The company said the metadata information is non-personalized and “very limited.” Furthermore, Yandex admitted that it’s theoretically possible to identify users based on the iPhone and Android data. But it said that “Yandex definitely cannot do this.”
The Times notes that all sorts of apps use the Yandex code that can extract user data from iPhone and Android. Games, messaging apps, location tools, and even VPN services. Some seven VPN services created specifically for a Ukrainian audience are part of the list. This might pose significant security risks to some individuals.
The company told the site that its SDK operates similarly to Google’s Firebase. And that Yandex collects iPhone and Android data only after the app receives consent from the user. But the SDK doesn’t specifically ask for tracking consent from users. It’s up to the developer to do it, especially if laws impose it.
That might limit tracking on iPhone to some extent, as Apple requires developers to ask permission from users to track them online. Android doesn’t have similar protections. However, some companies have tried skirting Apple’s anti-tracking features. Also, Yandex operates its services in a totalitarian country. This gives security experts reasons to worry about these data collection practices, which might be benign in other markets.
- Yandex, a Russian search engine, mines data from thousands of iPhone and Android apps
- Check all news and articles from the latest Security news updates.