Thousands of smartphone apps contain code made by Russian developer that collects location and other data, report finds
Thousands of iPhone and Android apps in the official Apple and Google app stores contain code from a developer that apparently concealed the fact that it is based in Russia, according to a Reuters report.
The US military’s National Training Center (NTC) was one of the organisations that deployed the code from Russian firm Pushwoosh in an NTC information-portal app, although the code was removed earlier this year, the report said.
While there is no indication of intentional misuse of data by Pushwoosh, which makes push notification tools, the situation highlights the exposure of potentially sensitive data through smartphone apps.
Confiant, which tracks misuse of online advertising data, said Pushwoosh collects user data including precise geolocation.
Russia’s security laws mean the country’s government could compel Russian firms to hand over such data, potentially even if, as is the case with Pushwoosh, the data is apparently stored in servers outside of Russia.
Pushwoosh said it stores customer data in servers in the US and Germany.
Organisations including the Centres for Disease Control (CDC) told Reuters they had believed Pushwoosh was based in the US.
Pushwoosh founder Max Konev told Reuters he “would never hide” the fact that he is Russian.
But regulatory filings in the state of Delaware, where Pushwoosh is registered, list addresses in California or Maryland and do not mention any Russian connection.
Pushwoosh’s social media accounts list US locations.
But documentation filed in Russia indicates Pushwoosh is based in Novosibirsk, in Siberia, employing about 40 people.
Russia is considered a top player in foreign intelligence hacking.
The US Army’s National Training Center at Fort Irwin is an important pre-deployment training base for the US military.
The US Army said it had used Pushwoosh code in the base’s information portal app but had removed the app in March due to security concerns.
The CDC removed seven of its apps containing Pushwoosh code after learning of the firm’s Russian origins.
Pushwoosh lists major firms including Unilever, McDonald’s, Spar and Deloitte amongst its clients, although Unilever told Reuters it had no direct relationship with Pushwoosh.
The US’ National Rifle Association and the UK’s Labour Party also offer apps using Pushwoosh notification systems.
Google and Apple both said privacy was a priority for the companies.