Thread by PatrickMcGee

Patrick McGee

Tue Mar 29 05:19:15 +0000 2022

🚨Scoop in @FT 🚨

Millions of American and European smartphone users are unknowingly sending user, device and IP address information to servers in Russia.

From there, researchers worry it might be accessed by the Kremlin.

Wait whhaaaat???

*Tweet thread follows* https://t.co/XOD4NdfWue

Here's how this is happening: Yandex - aka Russia's Google - has embedded "free and unlimited" coding software into tens of thousands of apps, which collects user data and stores is in servers in Finland and Russia. Yandex confirms this, but says it's not used for surveillance.

The software coding is a 'software development kit,' or SDK. Think of SDKs as the building blocks of apps.

A majority of apps use Google SDKs, for instance, to avoid building mapping tools or advertising tech from scratch.

The Yandex SDK, AppMetrica, is in 52,000 apps, according to AppFigures.

Among them: kids’ games, messaging apps, location-sharing tools and hundreds of VPNs — tools ostensibly made for encrypted web browsing. 7 of the VPNs are made specifically for Ukraine🇺🇦.

“The Appmetrica SDK claims to provide appropriate services, all while phoning home to Moscow with deeply invasive metadata details that can be used to track people across websites and apps,” says @thezedwards, data supply researcher who discovered this.

SDKs can pose a threat because you, the user, might grant a dating app your location, and an SDK within the app piggy backs on that permission.
“And the scary part is no user would ever know,” says @tiki_mike, “because who’s gonna ever going to check what SDKs are in what apps?”

Senator @RonWyden places blame on Google and Apple for not doing enough to protect consumers:

“These apps leech private, sensitive data from apps on your phone, threatening US national security and the privacy of Americans and other individuals around the world."

Yandex denies Appmetrica collects sensitive data or plays a role in surveillance. It concedes the SDK collects "information on the device, network and IP address," then stores data in Finland+Russia.

Researchers say that data can be used to ID people and track their movements.

Yandex also denies giving such data to the Kremlin. It acknowledges it may have to under local law, but says it has a strict internal process. Here is its record of refusal: https://t.co/UBKVsOK8oc

Here's the full story, breaking in the @FT @FinancialTimes:

https://t.co/1W9xC8w4ti

CC @eric_seufert @amir @HackingButLegal @garjoh_canuck @shannonpareil @Techmeme @Kantrowitz @antoniogm @TimSweeneyEpic @cherthedev @DinaSrinivasan

Tue Mar 29 05:19:19 +0000 2022