The Dangers of Third-Party SDKs: How Yandex's AppMetrica is Sharing User Data with Russia

AppMetrica is the equivalent of Google Analytics for iOS or Android mobile applications. This tool allows mobile app publishers to:

• know the number of users by country,
• find out how users discover the app,
• discover how they install it.

The Russian giant offers this service for free. Among the applications on the Google Play Store that use tracking tools, 33% use AppMetrica (source: AppFigures).

Tracking tools provide more information about the visitors to a website or mobile application. The goal is to analyze their behavior. For example: on which page or feature do they leave the platform? Are there regular users? By identifying these behaviors, marketing teams can rework the application or website - often to keep users on the service for as long as possible.

The simple and quick integration of AppMetrica is done through an SDK. However, very often, few companies or developers read the code behind.

The user analysis service offered by AppMetrica poses several problems:

• many user data is collected,
• a large number of Android permissions are requested from users (making potentially sensitive information accessible: IP addresses, GPS positions...)
• the data is stored on Russian and Finnish servers,
• the current, very sensitive context of the war in Ukraine.

An interesting example: the Call Ukraine application, a free messaging service launched on March 10, integrates AppMetrica. However, the Russian government reserves the right to access sensitive information about worldwide users of Yandex tools. And according to a security researcher, the SDK allows to retrieve the GPS location of a person using an application containing AppMetrica.

Between cybersecurity and cyberattacks, it is important to carefully analyze third-party tools before incorporating them into applications. Users of mobile applications also need to be aware of the data that is being collected about them and the risks involved.

Our colleagues at Numerama have detailed a list of 100 popular applications in France using AppMetrica.

Unfortunately, there are other little-known but widely used third-party services that transmit data to the four corners of the world.

According to a study from Oxford University from October 2018, nearly a third of applications on the Google Play Store are connected to 10 SDKs, and 1 out of 5 share personal data (source: Digital trends).

88% of the applications analyzed in the study have SDKs that transmit information to Google and 43% to Facebook.

In a conference in San Francisco in 2018, Roman Unuchek, a security researcher at Kaspersky Labs, said that 4 million applications transmit sensitive data to third parties without encryption. For example:

• information about the smartphone (Samsung S10...)
• GPS coordinates
• information about the user

Here we can see that the MoPub SDK (mobile advertising display) clearly transmits that:

• the user has a Samsung GT - I9300 (S3) with a resolution of 320 x 480 pixels
• mcc (mobile country code): 624 corresponds to Cameroon (source: MCC-MCC)
• bundle corresponds to the name of the application, so MoPub also knows the name of the application in service
• the user is a 27-year-old man
• the last point corresponds to his GPS location

SDKs can therefore transmit sensitive information to third-party countries without securing it. Users are unaware of this. This constant data collection also affects the performance of smartphones (battery + slowdown).

Until recently, Yandex had never been highlighted on these issues: it was American companies that were pointed out. The war between Russia and Ukraine therefore highlights new players, with services as popular as their American counterparts... and also as opaque.

[Cover Photo: Izzy Gibson]