The US Army iOS app is one of thousands of iOS and Android apps
The Centers for Disease Control and Prevention (CDC) has used the code in all seven of its applications. Both companies have now removed the code, but it remains in thousands of other apps…
Background
It is common for developers to include code written by third parties in their applications. This will simplify the process of performing common tasks such as sending a push notification, and may allow the application to use third-party servers for data storage and processing.
The danger of doing this is that the developer doesn’t know what the code is doing. For example, in addition to performing its declared function, third-party code may also collect data for its own purposes. For example, there have been many instances where location data has been secretly collected and sold to data brokers.
The US military iOS app used Russian code
Reuters reported.
Thousands of smartphone apps on Apple and Google’s online stores contain computer code created by a technology company called Pushwoosh, which claims to be based in the US but is actually Russian, Reuters has found.
The Centers for Disease Control and Prevention (CDC), the lead U.S. agency for tackling major health threats, said it was misled into believing the push was in the U.S. capital. After learning of his Russian roots from Reuters, he removed the Pushwoosh software from seven public applications, citing security reasons.
The U.S. military said it removed an app containing the Pushwoosh code in March due to the same concerns.
The US Army iOS app was deployed at a major combat training base.
The military told Reuters it removed the app containing Pushwoosh in March, citing “security concerns.” He did not say to what extent the app, which was an information portal for use at his National Training Center (NTC) in California, was used by troops.
The NTC is a large combat training facility for soldiers in the Mojave Desert, indicating that a data breach could reveal upcoming troop movements overseas.
In total, the code is embedded in nearly 8,000 apps, and the company says it has data on 2.3 billion devices.
The article points out that the Pushwoosh code had no evidence of malicious or deceptive intent, but went to great lengths to pretend it belonged to the United States.
Bushvush is headquartered in the Siberian city of Novosibirsk […] On social media and in U.S. regulatory filings, however, it presents itself as a U.S. company at various times in California, Maryland and Washington, D.C., Reuters reported.
The company also created fake LinkedIn profiles for two fictitious executives allegedly based in Washington, DC.
Smart Money seems to be trying to avoid potential sanctions against Russian companies, rather than doing anything more sinister, but it would still break the law — and have its data trivially accessed by the Russian government.
Photo: Security Visual News Broadcasting Service/Public Domain
Check out this video below for more Apple news:
“Alcohol evangelist. Devoted twitter guru. Lifelong coffee expert. Music nerd.”