Russia’s biggest internet company has embedded code into apps found on mobile devices that allows information about millions of users to be sent to servers located in its home country.
The revelation relates to software created by Yandex that permits developers to create apps for devices running Apple’s iOS and Google’s Android, systems that run the vast majority of the world’s smartphones.
Yandex collects user data harvested from mobiles, before sending the information to servers in Russia. Researchers have raised concerns the same “metadata” may then be accessed by the Kremlin and used to track people through their mobiles.
Researcher Zach Edwards first made the discovery regarding Yandex’s code as part of an app auditing campaign for Me2B Alliance, a non-profit. Four independent experts ran tests for the Financial Times to verify his work.
Yandex has acknowledged its software collects “device, network and IP address” information that is stored “both in Finland and in Russia”, but it called this data “non-personalised and very limited”. It added: “Although theoretically possible, in practice it is extremely hard to identify users based solely on such information collected. Yandex definitely cannot do this.”
The revelations come at a critical time for Yandex, often referred to as “Russia’s Google”, which has long attempted to chart an independent path without falling foul of Russian president Vladimir Putin’s desire for greater control of the internet.
The company said it followed “a very strict” internal process when dealing with governments: “Any requests that fail to comply with all relevant procedural and legal requirements are turned down.”
But Cher Scarlett, formerly a principal software engineer in global security at Apple, said once user information was collected on Russian servers, Yandex could be obliged to submit it to the government under local laws. Other experts said that the metadata of the sort collected by Yandex could be used to identify users.
Ron Wyden, chair of the US Senate’s finance committee and one of the architects of US internet regulation, heavily criticised Google and Apple for not doing enough to secure smartphones from the Yandex software, which has found its way on to 52,000 apps reaching hundreds of millions of consumers.
“These apps leech private, sensitive data from apps on your phone, threatening US national security and the privacy of Americans and other individuals around the world,” he said.
Yandex is considered a global tech giant and is listed on the New York Stock Exchange and majority-owned by American funds. It is incorporated in Amsterdam and founder Arkady Volozh lives in Israel. In 2019, the company reached an agreement with the Russian government, codifying a structure that ensures that Moscow can intervene on some issues such as foreign acquisitions without control of day-to-day operations.
The invasion of Ukraine has shattered its international ambitions, hit its stock price and some western partners have cut ties. The company’s executive director Tigran Khudaverdyan quit last week after being targeted by EU sanctions designed to hit the assets of businesspeople seen as close to the Kremlin.
Yandex has software in the form of a software development kit, or SDK, called “AppMetrica”. SDKs are building blocks used by developers to create apps. The Google Maps SDK, for instance, allows apps to embed mapping functions rather than build that functionality from scratch. Many SDKs are offered for “free” in exchange for access to user data that aids targeted advertising.
Among the apps with AppMetrica installed are games, messaging apps, location-sharing tools and hundreds of virtual private networks — tools designed to allow people to browse the web without being tracked. Seven of the VPNs are made specifically for a Ukrainian audience. Total installs of apps that include the AppMetrica SDK are in the hundreds of millions, according to Appfigures, an app intelligence group.
“The AppMetrica SDK claims to provide appropriate services, all while phoning home to Moscow with deeply invasive metadata details that can be used to track people across websites and apps,” said Edwards, the researcher.
“For people with a high-threat profile or working in high-profile jobs, using apps that send this data to Moscow is dangerous and can potentially lead to attacks on home networks or other forms of digital surveillance.”
Senator Wyden added: “Apple and Google maintain that their monopoly-like control over their app stores is necessary to keep consumers safe. Every day that apps built off the Russian Yandex SDK remain in those stores is further proof that the consumer safety they claim to offer is an illusion.”
Yandex defended the use of its SDK, saying it “operates in the same way as international peers” including Google Firebase, found in more than 2mn Android apps. The company has said it collects data only “after the app receives users’ consent” via Android and iOS apps. “We inform developers regarding the functioning of AppMetrica and they are obliged, if required by law, to get consent from their users,” Yandex added.
Similarly, Apple said AppMetrica could not indiscriminately access user data, because the SDK requires consent.
Patrick Jackson, chief technology officer at Disconnect, a developer of digital privacy tool says the reason SDKs can pose a risk is precisely because they don’t ask for permission. Instead, they “piggyback on the permissions that you, the user, have given the app”, he said.
Google acknowledged it had more work to do providing users’ transparency on what SDKs are used to build apps and said it would conduct an investigation based on the findings presented by the FT.
Some app developers have started to remove AppMetrica from their apps following Russia’s invasion of Ukraine. “We made a decision to stop using Russian-owned services when the war started,” said a spokesman for Gismart, which makes dozens of games with AppMetrica installed.
Opera, a popular web browser with a built-in VPN, also said it disabled the SDK as of February 15, “in preparation for its full removal”. It did not give a reason beyond saying “we switched to our own advertising platform”.
Conversely, more than 2,000 apps have added the AppMetrica SDK since the invasion of Ukraine, including several that appear designed to track Ukrainian users.
“Call Ukraine,” for instance, is a “free messenger for Ukrainians” that launched in the Play Store on March 10 using the blue and yellow flag as its icon. Once downloaded, the app can see a user’s identity and read their contacts. The developer includes a dummy email address: “[email protected].”
Cher Scarlett said it was concerning that AppMetrica was installed in 21 VPN apps just in the past 30 days. “You’re trying to be proactive in being more safe,” she added, “but actually making yourself more vulnerable”.