Government Apps Used 'Russian' Code

Two US government apps have been revealed as using code from a Russian company that falsely claims to be based in the US. It's also claimed one of that company's developers has a history with malware.

The initial revelation came from Reuters which highlighted "thousands" of smartphone apps included code from a company called Pushwoosh. The apps included one for the Centers for Disease Control and Prevention and another used by the US Army. Both have now removed the code. (Source: reuters.com)

The Pushwoosh code lets apps put together profiles of users and send notifications without the need for the app developers to have their own dedicated server.

Business Address Doesn't Exist

Reuters noted that although Pushwoosh gives the impression of being based in the US, its actual headquarters are in Novosibirsk. Pushwoosh denied that report saying "Pushwoosh Inc. is a privately held C-Corp company incorporated under the state laws of Delaware, USA. Pushwoosh Inc. was never owned by any company registered in the Russian Federation."

However, it refused to provide further evidence of its business structure. At least one listed address for the company and two "employees" with accounts on LinkedIn turned out to be fictional.

That could cause two types of legal problem. First, Pushwoosh may have broken US laws if it has indeed provided false information in regulatory filings. Second, being based in Russia may make it subject to US government sanctions that would limit how US companies can use its services.

Security Concerns

It's important to note there's no direct accusation of any misuse of data in the apps. However, some analysts are concerned about the possibility of personal information being directed to Russia, particularly given the sheer number of apps using it. There's also a risk that even if Pushwoosh is acting entirely legitimately, the Russian government could force it to hand over data.

Security expert Brian Krebs says the code used by Pushwoosh reveals a man called Yuri Shmakov listed as a developer. Krebs notes Shmakov previously admitted to writing Android malware dubbed Pincer Trojan, designed to intercept and forward text messages without detection. (Source: krebsonsecurity.com)

What's Your Opinion?

Should US companies do more to check the origins of third-party code? Should government agencies automatically distrust Russian software or take each developer on its merits? Is it practical or desirable for government software to be developed entirely in-house with no third-party content?