Official US Army app had Russian code, may have harvested user data

The US military has confirmed that an officially approved app was created using code from a tech company with Russian roots that provides popular tools for developers to send personalized notifications to their users.

At least 1,000 people have downloaded the app, which has provided updates to troops at the National Training Center in Fort Irwin, California, a critical staging point for deploying units to test their prowess on the battlefield before going abroad. The app went out of use in 2019 due to a routine personnel change and likely wouldn’t have been approved today due to stricter IT protocols in recent years, an Army official says and a service spokesperson. The confirmation comes after a Reuters survey highlighted the situation.

Some of the app’s code came from a company known as Pushwoosh, which reportedly went to great lengths to present itself as a US-based entity, according to Reuters. These efforts included fake LinkedIn profiles, fake addresses and more. The company’s founder, Max Konev, told the news agency he was “proud to be Russian” in a statement released in September.

The United States views Russia as a top national security threat, alongside China. Officials in Washington have repeatedly warned of Moscow’s hacks and its ability to carry out influence campaigns abroad, and cybersecurity experts told Reuters that Russian intelligence services may be able to to force companies like Pushwoosh to hand over their data, regardless of where it is stored.

According to legal experts interviewed by Reuters, the company was able to circumvent industry regulations and government procurement rules prohibiting doing business with Russian companies. These restrictions have tightened since Russia’s renewed invasion of Ukraine that began in February, and a growing number of companies have also been subject to official sanctions.

Pushwoosh is one of many software development companies that offers third-party coding solutions to other developers who are looking for out-of-the-box functionality to incorporate into their projects. According to Company WebsitePushwoosh personalizes its targeted notifications by collecting and storing a wealth of user data on its servers in Germany.

The Russian entity gathers location data, device data and other potentially identifying information collected from apps that use its notification code and aggregates it on its servers. A business blog post reveals that it retains this data “forever,” regardless of how long a user opened the app, unless a user turns off notifications or deletes the app.

The National Training Center application, published by the service TRADOC Mobile Application Portal and listed in the Apple and Google app stores, “was developed in 2016” using “a free version of Pushwoosh,” Army spokesman Bryce Dubee confirmed in a statement emailed to Army Times and C4ISRNET.

It’s unclear what user data was collected from the NTC app and stored by Pushwoosh, and it’s unclear whether Russian intelligence has obtained it or can access it. But even seemingly innocuous apps can fuel targeting efforts: VICE Motherboard Survey 2020 revealed that the United States Special Operations Command purchased anonymized location data for several popular apps in the Muslim world, presumably to unmask and target individuals associated with terrorist groups.

Russia has always denied the accusations of cyber aggression and espionage. Pushwoosh founder Konev told Reuters that his company “has no connection whatsoever with the Russian government”.

Why did an army app use the Pushwoosh code?

A person assigned to NTC, a major training center in Fort Irwin, Calif., created the application and submitted it for approval and release by the military, according to Dubee. It was then approved.

According to the app’s description in the Apple Store, which was archived by App Aware API Extractor, the NTC app claimed to provide “the latest Fort Irwin news, information and social media updates” to users. It also included “quick click buttons to call postal facilities, a community calendar and map of popular establishments and much more”.

It’s unclear if the map feature required users to choose to share their location with the app – and potentially with Pushwoosh. Anyway, the app has been used quite extensively. an archived listing for the app on Google Play store scraper APK Combo said more than 1,000 Android users have downloaded it. Army Times and C4ISRNET could not confirm how many Apple devices installed the app before it was removed from the App Store.

The NTC app ceased to be used in 2019, an army official said, after personnel changes. But the potential risks went undetected for years after the NTC app was abandoned, the official added, until a “routine scan” of Army apps in March “determined that the NTC app was non-compliant, not in use and could not be updated.”

Today, the app would not be approved at all “because regulations and guidelines have become stricter since 2016 [when it was developed]’, and the military ‘decided to take the app completely offline while conducting a routine review of authorized apps,’ Dubee confirmed.

“Regulations do not allow the use of freeware when paid software is available, and therefore the PM Army Mobile team would have immediately disallowed/deprecated the use of freeware,” Dubee explained.

The spokesperson did not respond to questions from Army Times and C4ISRNET asking for more information about what data the app collected and whether the service was aware of the company’s origins when it shut down the company. NTC application in March.

Davis Winkie is a senior reporter covering the military, specializing in accountability reports, personnel issues, and military justice. He joined Military Times in 2020. Davis studied history at Vanderbilt University and UNC-Chapel Hill, writing a master’s thesis on the influence of the Cold War-era Department of Defense. on Hollywood films of World War II.

Colin Demarest is a reporter at C4ISRNET, where he covers military networking, cyber and IT. Colin previously covered the Department of Energy and its National Nuclear Security Administration — namely the Cold War cleanup and the development of nuclear weapons — for a South Carolina daily. Colin is also an award-winning photographer.

Margie D. Carlisle