The potentially sensitive iOS app for the US military is among thousands of iOS and Android apps to include user identification code from a Russian company posing as an American — raising privacy and security concerns.
The Centers for Disease Control and Prevention (CDC) has also used the symbol in seven of its applications. The two organizations have now removed the symbol, but it remains on thousands of other apps…
It is common for developers to include in their apps some code written by third parties. This can simplify the process of performing common tasks, such as sending a push notification, and can enable the application to use third-party servers to store and process data.
The danger of doing this is that the developer may not know exactly what the code is doing. For example, in addition to performing its specified function, third-party code may also collect data for its own purposes. For example, there have been many cases where location data has been secretly collected and sold to data brokers.
US Army iOS App Use Russian Code
Reuters has discovered that thousands of smartphone apps in online Apple and Google stores contain computer code developed by a technology company, Pushwoosh, which presents itself as being US-based, but is actually Russian.
The Centers for Disease Control and Prevention (CDC), the main US agency for combating major health threats, said it was misled into believing Pushwoosh was located in the US capital. After learning of its Russian roots from Reuters, it removed Pushwoosh from seven public apps, citing security concerns.
The US military said it removed an app containing Pushwoosh code in March due to the same concerns.
The US Army’s iOS app was used at a major combat training base.
The army told Reuters it had removed an app containing Poshoosh in March, citing “security issues”. He did not say how widely troops used the app, which was an information portal for use at the National Training Center (NTC) in California.
NTC is a major combat training center in the Mojave desert for pre-deployment soldiers, which means a data breach there could reveal incoming outside troop movements.
In total, the code has been included in nearly 8,000 apps, and the company says it has data on 2.3 billion devices.
The article asserts that there is no evidence of any malicious or deceptive intent in Pushwoosh’s code, but what was troubling was that it went to great lengths to pretend to be US-owned.
Pushwoosh is headquartered in the Siberian city of Novosibirsk […] Reuters found that the company presents itself on social media and in US regulatory filings as a US company, with headquarters at various times in California, Maryland and Washington, DC.
The company has also created fake LinkedIn profiles for fictitious executives, presumably based in Washington, DC.
The smart money appears to be on the company trying to evade potential sanctions against Russian companies, rather than doing anything more heinous, but that would put it in violation of the law — and make the Russian government frivolously accessible to its data.
Image: Defense Visual Information Distribution Service/Public Domain
FTC: We use affiliate links to earn income. more.
Check out 9to5Mac on YouTube for more Apple news: