Apple

US Army iOS app among thousands that unknowingly used Russian code

From 9to5mac.com


A potentially sensitive US Army iOS app is among thousands of iOS and Android apps to include user-profiling code from a Russian company that pretended to be an American one – raising both privacy and security concerns.

The Centers for Disease Control and Prevention (CDC) also used the code in seven of its apps. Both organizations have now removed the code, but it remains present in thousands of other apps …

Background

It’s common for developers to include in their apps some code written by third parties. This can simplify the process of carrying out common tasks, like sending a push notification, and can enable an app to use third-party servers for data storage and processing.

The risk of doing this is that a developer may not know exactly what the code does. For example, as well as performing its stated function, third-party code might also collect data for its own purposes. There have been numerous instances of location data being secretly collected and sold to data brokers, for example.

US Army iOS app used Russian code

Reuters reports.

Thousands of smartphone applications in Apple and Google’s online stores contain computer code developed by a technology company, Pushwoosh, that presents itself as based in the United States, but is actually Russian, Reuters has found.

The Centers for Disease Control and Prevention (CDC), the United States’ main agency for fighting major health threats, said it had been deceived into believing Pushwoosh was based in the U.S. capital. After learning about its Russian roots from Reuters, it removed Pushwoosh software from seven public-facing apps, citing security concerns.

The U.S. Army said it had removed an app containing Pushwoosh code in March because of the same concerns.

The US Army iOS app was used at a major combat training base.

The Army told Reuters it removed an app containing Pushwoosh in March, citing “security issues.†It did not say how widely the app, which was an information portal for use at its National Training Center (NTC) in California, had been used by troops.

The NTC is a major battle training center in the Mojave Desert for pre-deployment soldiers, meaning a data breach there could reveal upcoming overseas troop movements.

In total, the code has been embedded into almost 8,000 apps, and the company says it has data on 2.3B devices.

The piece stresses that there is no evidence of any malicious or deceptive intent in the Pushwoosh code, but it was concerning that it went to some lengths to pretend to be US-owned.

Pushwoosh is headquartered in the Siberian town of Novosibirsk […] On social media and in U.S. regulatory filings, however, it presents itself as a U.S. company, based at various times in California, Maryland and Washington, D.C., Reuters found.

The company also created fake LinkedIn profiles for two fictitious execs, supposedly based in Washington, DC.

The smart money seems to be on the company trying to evade possible sanctions against Russian companies, rather than do anything more nefarious, but that would still put it in breach of the law – and make its data trivially accessible by the Russian government.

Photo: Defense Visual Information Distribution Service/Public domain


The post US Army iOS app among thousands that unknowingly used Russian code first appeared on 9to5mac.com

New reasons to get excited everyday.

Get the latest tech news delivered right in your mailbox


5 Reasons Why You Should Try Online Horse Race Betting

In many places around the world, horse races are an attraction that a lot of people love to watch. With the fast-paced action and thrill that each game provides, it is no longer surprising to know that millions of fans have grown fond of it.

NordLayer — more than a business VPN

Cybersecurity threats have become vast and more sophisticated. The rate of malware attacks and malicious activity counts within seconds despite the size or sector the organization belongs to — no one is safe enough to expect that foe actors will bypass vital company resources.


You may also like

Subscribe
Notify of
0 Comments
Inline Feedbacks
View all comments

More in Apple

×
* Popular *
0
Would love your thoughts, please comment.x
()
x