The largest Russian web company Yandex has implemented a code in applications for mobile devices that allows you to send data about tens of millions of users to servers located in the Russian Federation.
Yandex has an SDK called AppMetrica. SDK blocks used by developers to create applications. Many SDKs are provided “free of charge” to access user information that contributes to advertising campaigns. Among the many applications that AppMetrica is built into are video games, messaging apps, location tools, and virtual private networks (VPNs).
The situation concerns this application, which allows developers to create software for devices running Apple’s iOS and Google’s Android. The problem was discovered by cybersecurity researcher Zach Edwards during a marketing campaign to audit applications for the non-profit organization Me2B Alliance.
“The AppMetrica SDK offers acceptable conditions for companies, but at the same time transmits metadata to Moscow, which can be used to track people on websites and in applications,” Edwards commented on the situation.
Representatives of the tech giant acknowledged that the software collects data about “devices, communities and IP addresses” that are stored “both in Finland and in Russia,” but called this information “non-personalized and really limited.”
According to former Apple engineer Cher Scarlett, as soon as consumer data is collected on Russian servers, Yandex may well be required to provide them to the federal government in accordance with local legal norms. Such metadata can presumably be used to identify users.
Representatives of the tech giant reported that the company collects information only “after the application receives the user’s consent” through Android and iOS applications. As the chief specialist at Disconnect, Patrick Jackson, noted, SDKs can be dangerous precisely because they do not request permissions. Instead, they “use the permissions that the consumer has granted to the application.
Some app developers started deleting AppMetrica after the start of the military conflict on the territory of Ukraine.