Mobile Apps send user data to Russian Servers

Mobile Apps send User Data to Russian Servers

Tens of thousands if not millions of apps were sending user data to Russia, where the government and its agencies could potentially have access. This serious claim that was made in a recent article in Financial Times. The most important thing is that platform operators Apple, Google and others would just watch and take no actions. This is all true, and it shows a structural problem in app development that has been known for years.

Yandex

Zach Edwards, a researcher for the non-profit Me2B Alliance, has found that approximately 52,000 apps with hundreds of millions of users around the world contain software from IT giant Yandex. This includes Messenger and many VPN apps. Some of these apps are intended specifically for Ukrainian users. The code allows the Russian Google counterpart to obtain all types of personal data from users.

As expected, politicians reacted quickly to the result: Senator Ron Wyden, a democratic US senator, immediately called Apple and Google to stop this activity. It is not possible that people simply stand by and allow the US security to be threatened, as well as the privacy of many smartphone users worldwide.

Software Development Kits

Getting rid of the potential spying software is quite a difficult task. The software in question is deeply embedded in apps as Software Development Kit (SDK) like many others. These SDKs give app developers the ability to integrate certain functions into their apps without having to create them from scratch.
This particular piece of software, AppMetrica, is used to gather usage data for advertising and analysis purposes. This is not uncommon, as Google offers similar tools that can be used in apps.

Privacy Issues

Yandex strongly denies the accusation. According to Yandex, user data are only shared in specific cases and only after an internal review. Furthermore, so Yandex, AppMetrica does only collect "harmless user data" like IP address, details about the network and device information.

However, experts strongly disagree with this statement. For years security researchers have warned that such data can be used to assign a precise identity to a person. Because that's precisely thei intent: after all, these tools are used to check if a visitor to a website has led to a purchase of a product.

Apple and Google

At the time of writing, Apple does not see any reason to take action. According to Apple, users consented to the collection of their data. Yandex emphasizes the importance of this, noting that AppMetrica's Terms of Use require app developers to inform users regarding data collection.

Google's answer is a bit more nuanced. They admit that transparency is an area where there are still improvements to be made. They also suggested that users be made aware of which SDKs were used by which apps. Based on these results, an internal investigation was launched.

Background

In recent years, the often inconsiderate use of such development kits has been often criticized. This is because many users don't realize that when they give their consent for Apps, these SDKs inherit the permissions from the App. For example, if you share your location with an app, you could also give it to the SDK developers. There are many companies that specialize in location data and collect the information through supposedly harmless apps. Then, they sell it to companies and authorities for a profit.

In recent years, both Apple and Google have banned the use of SDKs from many of these companies. Google is gradually restricting the use of these development kits starting with the Android 13.

However, in the present case it is evident that researchers aren't the only ones who have doubts about Yandex statements. Opera, the browser manufacturer, has removed the SDK from its software and switched to its own advertising platform. Gismart claims that AppMetrica was removed from many games.

The takeaway

Using third party SDKs for analytics that obviously violate the GDPR are a no go. If you are in doubt then just don't use it. Take some time and look for alternatives. The best solution is to host your own analytics server and use open source SDKs. This makes sure that you are in control of your customer data and it won't end up on third party servers.

What is a GDPR-compliant Google Analytics Alternative?

What does GDPR mean in practise?

Photo by Vitaly Vlasov from Pexels

Sources:

  1. DerStandard
  2. ArsTechnica

ANALYTICS

GDPR Compliant Data Collection

Don't rely on obscure third party libraries to get insights. Use GDPR compliant tools to collect data for informed business decisions.

Scroll to top