Russian search engine company and advertising firm Yandex may be harvesting data from millions of iOS users and sending it to Russia, a new report claims.
Yandex — said to be the Russian version of Google — maintains a search engine, advertising tools, and other services. Its services include the AppMetrica API, which many developers use as an easy way to obtain analytics data for their app.
According to a new report from The Financial Times, security researcher Zach Edwards has discovered that Yandex analytics code is embedded in 52,000 apps on Apple and Google software. From there, it's reportedly reached "hundreds of millions of consumers."
Yandex acknowledged that data collected through its API and other services gets sent to Russian servers. It noted that it had a "very strict" process for dealing with government requests for data, which includes turning out any requests that don't comply with "relevant procedural and legal requirements."
However, security experts warn that once data is stored in Russia, there's little Yandex can do to stop the Russian government from obtaining it.
Additionally, some of the data that the Yandex API collects includes metadata that can be used to identify users.
"For people with a high-threat profile or working in high-profile jobs, using apps that send this data to Moscow is dangerous and can potentially lead to attacks on home networks or other forms of digital surveillance," said Edwards, the security researcher who discovered the code's prevalence.
The apps that use the AppMetrica API include games, messaging services, location-sharing tools, and "hundreds" of virtual private network (VPN) apps. Seven of the VPNs that researchers identify explicitly target a Ukrainian audience. Total downloads of apps with the API reach the hundreds of millions.
Yandex defended its tool, likening it to similar development kits provided by Google and others. It also noted that it has "never given out any information on users of any apps with AppMetrica installed on them, nor have we ever been asked to."
Apple, for its part, says that the AppMetrica API can be stopped with its own App Tracking Transparency technology.