A report today says that ‘Russian Google’ Yandex is sending data harvested from millions of iOS app users to Russia – whether or not you use the company’s apps. Laws there could compel the company to make the data available to the Russian government.
Your data can be grabbed from a wide range of third-party apps which use a developer tool created by Yandex. Developers save time and money by using the Yandex API AppMetrica to obtain analytics data for their app, while the company gets user data in return …
The Financial Times says that a security researcher discovered the code which sends data to Russia, and that it has independently verified the claims.
Russia’s biggest internet company has embedded code into apps found on mobile devices that allows information about millions of users to be sent to servers located in its home country […]
Researcher Zach Edwards first made the discovery regarding Yandex’s code as part of an app auditing campaign for Me2B Alliance, a non-profit. Four independent experts ran tests for the Financial Times to verify his work.
Yandex admits that it collects the data and sends it to servers in Russia, but claims that it is ‘extremely hard to identify users’ from the information collated. However, experts disagree.
Cher Scarlett, formerly a principal software engineer in global security at Apple, said once user information was collected on Russian servers, Yandex could be obliged to submit it to the government under local laws. Other experts said that the metadata of the sort collected by Yandex could be used to identify users.
The security and privacy implications could be huge.
Among the apps with AppMetrica installed are games, messaging apps, location-sharing tools and hundreds of virtual private networks tools designed to allow people to browse the web without being tracked. Seven of the VPNs are made specifically for a Ukrainian audience. Total installs of apps that include the AppMetrica SDK are in the hundreds of millions, according to Appfigures, an app intelligence group.
We already know from attempts to circumvent Apple’s App Tracking Transparency privacy requirements that a vast range of innocuous-sounding data can be combined into digital signatures which can be tied to individual devices. The same approach used by websites can be used by app APIs.
Photo: ThisisEngineering RAEng/Unsplash
Author: Ben Lovejoy
Source: 9TO5Google