Russia’s invasion of Ukraine triggered a major response from Western countries, including sanctions against the aggressor that had never been seen before. In addition to banking and trade restrictions imposed by the government, a number of companies have delayed or abandoned their operations in Russia. Western scrutiny of Russian technology has also increased. An example is Kaspersky. Another is Yandex, which collects app data from millions of iPhone and Android users around the world.
What does Yandex do on iPhone and Android? If you think you are not affected because you are not using Yandex apps or services on your iPhone or Android, you are wrong. You do not need to install a Yandex app for the company to collect your data. Instead, all you have to do is get one of the thousands of apps that use Yandex’s SDK, and some of that data might leave your device regularly without your knowledge.
A new report says thousands of apps with millions of customers include a Yandex SDK that can collect user data from iPhone and Android devices. The concern is that others can then use the data to track people. Yandex may also be required to share this information with the Russian government and its spy agencies. Tuesday deals: Kitchen essentials, $150 AirPods 3, $130 off iPad Air, Bose sale, more
The news comes from the Financial Times (via 9to5Mac), which reports that researcher Zach Edwards uncovered the data collection practices for the first time. Edwards analyzed Yandex code while participating in an application audit campaign for Me2B Alliance. Then four independent experts conducted tests for the Times.
The results would be troubling in normal times, given that Yandex can still be forced to work with the Russian government. But it’s all happening against the backdrop of the Ukrainian war, so those worries are heightened. The report says some 52,000 apps with hundreds of millions of users include the Yandex SDK. It is the AppMetrica software that helps users to create applications. Like other SDKs, Yandex tools may be available to customers free of charge. In turn, developers must share data from data users.
Yandex has confirmed that it collects device, network, and IP address information from iPhone and Android. This data is then stored on servers in Finland and Russia. The company said the metadata information is not personalized and “very limited”. Moreover, Yandex admitted that it is theoretically possible to identify users based on iPhone and Android data. But he said “Yandex definitely can’t do that.”
The Times notes that all kinds of apps use Yandex code that can extract user data from iPhone and Android. Games, messaging apps, location tools and even VPN services. Some seven VPN services created specifically for Ukrainian audiences make the list. This could pose significant security risks for some people.
The company told the site that its SDK works the same way as Google’s Firebase. And that Yandex collects iPhone and Android data only after the app has received user consent. But the SDK does not specifically request tracking consent from users. It is up to the developer to do so, especially if the laws require it.
This could limit iPhone tracking to some extent, as Apple requires developers to ask users for permission to track them online. Android does not have similar protections. However, some companies have tried to circumvent Apple’s anti-tracking features. Moreover, Yandex operates its services in a totalitarian country. This gives security experts reason to be concerned about these data collection practices, which could be benign in other markets.
Summary of news:
- Yandex, a Russian search engine, uses data from thousands of iPhone and Android apps
- Check out all the news and articles from the latest security news updates.