Russia’s invasion of Ukraine ignited a massive reaction from Western countries that included previously unseen sanctions on the invader. In addition to banking and trade limits that governments imposed, various companies paused their activities in Russia or left completely. Additionally, the West’s scrutiny of Russian tech increased. Kaspersky is one example. Yandex is another, as Russia’s Google competitor is collecting app data from millions of iPhone and Android users worldwide.
A new report indicates that thousands of apps with millions of customers include a Yandex SDK that can collect user data from iPhone and Android devices. The worry is that others can then use the data to track people. Yandex might also be required to share that information with the Russian government and its spy agencies.
What does Yandex do on iPhone and Android?
If you think you’re unaffected because you don’t use Yandex apps or services on your iPhone or Android, you’re wrong. You don’t have to install a Yandex app for the company to harvest your data. Instead, all you have to do is get one of the thousands of apps that make use of Yandex’s SDK, and some of that data might be leaving your device regularly without your knowledge.
The news comes from Financial Times (via 9to5Mac), which reports that researcher Zach Edwards first discovered the data collection practices. Edwards analyzed the Yandex code while participating in an app auditing campaign for Me2B Alliance. Then four independent experts ran tests for The Times.
Yandex confirmed that it collects device, network, and IP address information from iPhone and Android. This data is then stored on servers in Finland and Russia. The company said the metadata information is non-personalized and “very limited.” Furthermore, Yandex admitted that it’s theoretically possible to identify users based on the iPhone and Android data. But it said that “Yandex definitely cannot do this.”
The findings would be troubling in regular times, given that Yandex can always be forced to work with the Russian government. But it’s all happening against the Ukrainian war backdrop, so those worries are exacerbated.
Which Yandex apps collect data?
The report says that some 52,000 apps with hundreds of millions of users include the Yandex SDK. That’s the AppMetrica software that helps users build applications. Like other SDKs out there, the Yandex tools might be available for free to customers. In turn, the developers have to share data user data.
The Times notes that all sorts of apps use the Yandex code that can extract user data from iPhone and Android. Games, messaging apps, location tools, and even VPN services. Some seven VPN services created specifically for a Ukrainian audience are part of the list. This might pose significant security risks to some individuals.
The company told the site that its SDK operates similarly to Google’s Firebase. And that Yandex collects iPhone and Android data only after the app receives consent from the user. But the SDK doesn’t specifically ask for tracking consent from users. It’s up to the developer to do it, especially if laws impose it.
That might limit tracking on iPhone to some extent, as Apple requires developers to ask permission from users to track them online. Android doesn’t have similar protections. However, some companies have tried skirting Apple’s anti-tracking features.
Also, Yandex operates its services in a totalitarian country. This gives security experts reasons to worry about these data collection practices, which might be benign in other markets.
How to protect yourself
The Times also says that some developers have started removing the Yandex SDK from their apps. Such is the case with game developer Gismart or the Opera browser and VPN.
But more than 2,000 apps have added the AppMetrica SDK since the war started. That includes a free messenger app for Ukrainians named Called Ukraine. The app can see the user’s identity and read contacts. The developer lists a dummy email address based in Russia.
The only way to know whether your iPhone and Android apps contain Yandex data is to check with developers and see if their apps use the AppMetrica SDK.
Also, make sure you don’t install shady apps, even if they come from trusted sources. If you think you might be a target for foreign agents, you might want to be extra careful with what apps you install on your iPhone or Android.
More iPhone coverage: For more iPhone news, visit our iPhone 14 guide.