A Russian tech company is sending to Russia data collected from iOS app users who have never used its apps, according to a security researcher.
In a report by the Financial Times, researcher Zach Edwards explains how third-party apps can use a developer tool created by the company Yandex to harvest iOS users’ data. Yandex is the largest technology company in Russia and operates the country’s second-largest search engine.
The Yandex API AppMetrica is a software development kit that offers developers a convenient way to obtain analytics data quickly and cheaply for their app. However, developers who use the tool give Yandex access to their users’ data.
According to AppFigures, AppMetrica is in 52,000 apps, including messaging apps, location-sharing tool and virtual private network (VPN) apps.
While carrying out an app auditing campaign for non-profit Me2B Alliance, Edwards discovered that code embedded into apps by Yandex to collect user data and send it to servers based in Russia.
“The Appmetrica SDK claims to provide appropriate services, all while phoning home to Moscow with deeply invasive metadata details that can be used to track people across websites and apps,” said Edwards.
Under local Russian laws, Yandex could be compelled to make the data it collects accessible to the Russian government.
On Twitter, Edwards described Yandex as “part of the Putin-Russian propaganda machine.”
The Financial Times said it verified Edwards’ claims via tests run by four independent tech experts.
Yandex stated that its software does collect device, network and IP address information and send it to servers in both Russia and Finland, but the company said that the data is stored in an anonymized condition, making it ‘extremely hard to identify users’ among the stash of information.
“Third-party data leakage is a common vulnerability when it comes to mobile apps,” Ray Kelly, fellow at California-based application security provider NTT Application Security told Infosecurity Magazine.
“Unfortunately, as the end user, you have no insight as to what data is being pulled from your device and sent to third-party websites or how the data is used.”