A potentially sensitive US Army iOS app is among thousands of iOS and Android apps to include user-profiling code from a Russian company that pretended to be an American one – raising both privacy and security concerns.
The Centers for Disease Control and Prevention (CDC) also used the code in seven of its apps. Both organizations have now removed the code, but it remains present in thousands of other apps …
It’s common for developers to include in their apps some code written by third parties. This can simplify the process of carrying out common tasks, like sending a push notification, and can enable an app to use third-party servers for data storage and processing.
The risk of doing this is that a developer may not know exactly what the code does. For example, as well as performing its stated function, third-party code might also collect data for its own purposes. There have been numerous instances of location data being secretly collected and sold to data brokers, for example.
US Army iOS app used Russian code
Thousands of smartphone applications in Apple and Google’s online stores contain computer code developed by a technology company, Pushwoosh, that presents itself as based in the United States, but is actually Russian, Reuters has found.
The Centers for Disease Control and Prevention (CDC), the United States’ main agency for fighting major health threats, said it had been deceived into believing Pushwoosh was based in the U.S. capital. After learning about its Russian roots from Reuters, it removed Pushwoosh software from seven public-facing apps, citing security concerns.
The U.S. Army said it had removed an app containing Pushwoosh code in March because of the same concerns.
The US Army iOS app was used at a major combat training base.
The Army told Reuters it removed an app containing Pushwoosh in March, citing “security issues.” It did not say how widely the app, which was an information portal for use at its National Training Center (NTC) in California, had been used by troops.
The NTC is a major battle training center in the Mojave Desert for pre-deployment soldiers, meaning a data breach there could reveal upcoming overseas troop movements.
In total, the code has been embedded into almost 8,000 apps, and the company says it has data on 2.3B devices.
The piece stresses that there is no evidence of any malicious or deceptive intent in the Pushwoosh code, but it was concerning that it went to some lengths to pretend to be US-owned.
Pushwoosh is headquartered in the Siberian town of Novosibirsk […] On social media and in U.S. regulatory filings, however, it presents itself as a U.S. company, based at various times in California, Maryland and Washington, D.C., Reuters found.
The company also created fake LinkedIn profiles for two fictitious execs, supposedly based in Washington, DC.
The smart money seems to be on the company trying to evade possible sanctions against Russian companies, rather than do anything more nefarious, but that would still put it in breach of the law – and make its data trivially accessible by the Russian government.
FTC: We use income earning auto affiliate links. More.