In this matter, the user’s trust is ultimately put into the app developers’ hands — the real question is who to trust.
Private data could be collected from thousands of Android and iOS apps via Yandex, the leading search engine in Russia, according to security researchers. The issue revolves around how this data might be available to Russia state agencies. In addition to being a search portal, Yandex also makes a software development kit (SDK) called AppMetrica, which does app usage analytics and marketing and is similar to Google’s Firebase. The SDK has been incorporated into more than 52,000 different apps, including games and messaging apps.
More unsettling is that this SDK was used to create 2,000 new apps which were recently added to app stores after the Russian invasion of Ukraine and is also being used in hundreds of VPNs, including 21 of them newly added post-invasion. These apps appear to be designed to track Ukrainian users’ movements. The researchers, whose claims have been independently verified, found that data from hundreds of millions of users is being collected and sent to servers in both Russia and Finland.
Yandex acknowledged that its software does collect device, network, and IP address information but these elements are only collected after getting a user’s consent and is aggregated and that “our principles for data privacy and security are rigorous and we have never given out any user information nor have we ever been asked to do so.” The company welcomed an independent audit of its data collection processes. In its documentation, it describes that app developers can choose to disable user tracking; however, this means that some developers can already have tracking turned on prior to consent being granted.
The article, which was originally published by the UK’s Financial Times, caught the attention of Google, who “acknowledged it had more work to do providing users transparency on what SDKs are used to build apps and said it would conduct an investigation.” Apple has touted its App Tracking Transparency guidelines for developers, but researchers have found numerous ways around these guidelines, such as using device or canvas fingerprinting. Since the Russian invasion, mobile game vendor Gismart and Opera’s VPN have both removed the AppMetrica SDK code from their apps as a precaution, even before the research on its potential for abuse came to light.
Users don’t have any simple way of determining whether the SDK is being used by their mobile apps without having access to various developer tools, though with the implementation of related legislative frameworks, laws, and policies, this information is gradually becoming more accessible to users. For instance, in the EU, many of these tracking features are governed by GDPR which imposes a strict boundary on what data is tracked and how they can be processed. Anything breaking this compliance is potentially subject to heavy fines from the EU as well as the potential of being detected by various security vendors.
The hard truth is that such tracking libraries are, in one form or another, very common in the majority of mobile apps. The user’s trust is ultimately put into the app developers’ hands in this matter, so the real question is who to trust.
Brush up on your mobile data privacy practices
Ondrej David, Malware Analyst and Android Developer at Avast, offers a handful of tips to keep in mind in order to maximize your data security.
“Stick to well-known brands that you’re familiar with and be sure to check their EULAs and Terms and Conditions. Especially pay attention to the privacy and data handling sections of these materials, as companies are usually obliged to inform the user how their data is processed and stored, and many clues can be derived from that. Commonly, the tracking SDKs being used are also listed in these documents.”
Furthermore, David advises that individuals make use of privacy-related features that modern devices provide — this includes disabling ad tracking in OS settings, enable location access to app only when using it (or when necessary), not automatically granting apps permissions just because they ask for them, and checking app settings for relevant privacy and advertising settings. This means paying careful attention to these permissions when you bring up an app after it is installed.
Whenever possible, stick to using official app markets, which have a higher degree of scrutiny and the proper policies in place compared to those of third-party app sharing sites. Uninstall any apps that you don’t use or haven’t used for a long time.
Finally, it’s important to consider whether the app in question delivers its claimed benefit and whether you really need it. If you’re in doubt, choose to avoid the app or look for a more suitable alternative.
