Return to list of client alerts
Supply chain attacks are becoming a major problem for everyone. Case in point.
U.S. government agencies such at the Army and CDC have recently removed apps from the app store after discovering that one of their suppliers was a U.S. front company for Russia.
In this world’s unending quest for data, app developers include code in their software to track what their users are doing. Potentially unsavory but very common.
But what happens if the company who wrote the code is a Russian company fronted by a U.S. façade? And, what if all of that data is going to Russia?
The company is Pushwoosh. In addition to the Army, Unilever, the National Rifle Association and Britain’s Labour Party all use the code. Along with many, many others.
The Army was using a free version of the Army’s National Training Center. They now claim they were not even aware the Pushwoosh software was in the app. They also claim that they did not know that the U.S. company was a hollow front for the Russian firm.
Here is the important part.
Their code is available in apps on both Apple’s and Google’s store and they claim it is running on 2.3 billion devices. With all of the data, of course, owned by Russia. Their website does not list an address, but the company is headquartered in Novosibirsk, in Siberia. However, its Twitter profile says it is based in Washington, DC and press releases claim it to be based in Maryland.
While both the CDC and Army have removed their apps, but that only represents a tiny slice of the 2.3 billion apps.
Since most companies do not have software bills of material, it is likely that most companies do not know if any of their apps use the Russian software.
Do you know? How do you know?
Credit: The Register