This week, Reuters reported that push notification company Pushwoosh is Russian in origin despite presenting itself as a US-based company. Pushwoosh code was present in apps used by the Centers for Disease Control (CDC) and the US Army.
Reuters determined that Pushwoosh is registered with the Russian government and pays taxes there, but this information is not included in US regulatory filings. Pushwoosh published a statement in response to the Reuters report denying that it is based in Russia.
“Pushwoosh Inc. is the sole proprietor of all IP rights assigned to Pushwoosh Service and a primary legal entity of the Pushwoosh brand. Pushwoosh Inc. is a privately held C-Corp company incorporated under the state laws of Delaware, USA. Pushwoosh Inc. was never owned by any company registered in the Russian Federation,” according to the statement.
The company did not respond to Reuters' request for evidence supporting its statement.
Importance of Origins
Why would a company obscure its origins? “This could be for any number of reasons such as trying to avoid sanctions imposed by the US government, trying to appear to be from the US in order to seem more trustworthy, trying to avoid any anti-Russian bias, and trying not to appear to be a Russian government entity,” Nigel Houghton, director of marketplace and ecosystem development at threat intelligence company ThreatQuotient, explains.
Regardless of the motivation, the question of Pushwoosh’s origins is a question of risk. “There is a certain amount of risk involved in using any application like this, but one that is actively trying to hide the fact that it is a Russian-owned and operated business should raise red flags,” Houghton contends.
With Pushwoosh code in thousands of apps, all different kinds of organizations are likely using it for customer engagement. The level of concern could depend on the user.
“This is likely more of a concern for government agencies and contractors than corporations. Governments tend to be more concerned with controlling information and protecting assets where corporations are focused on creating value and speed to market,” says Christopher Prewitt, CTO of cybersecurity risk management company Inversion6.
The CDC and US Army have opted to cease use of Pushwoosh code. Both agencies cited security concerns, according to the Reuters report. “If the CDC app was compromised in such a way to transmit false information, especially in these times, that could very likely have a significant negative impact,” Thomas Pace, CEO of XIoT cybersecurity firm, NetRise, points out.
Data Security Concern?
What level of risk does Pushwoosh code pose to other organizations using those apps?
Data security is the main concern. Though Reuters did not uncover any mishandling of user data, the company’s obscured origins do raise potential concerns.
“When Pushwoosh is used in a mobile application, for example, it potentially has access to all the data on the mobile device, which means it could send that data off the device; it could continuously report on the location of the mobile device, what calls and messages are made from the device, the content of those calls and messages etc.,” Houghton explains.
In its statement, Pushwoosh “guarantees that none of the customers’ data has ever been transferred outside Germany and the USA to any country, including the Russian Federation.”
Prewitt contends that any company or organization should review software composition and then decide whether the Pushwoosh risk is in scope. “If it is, it will be important to know what data, if any, has been accessed or potentially at risk. Be transparent with the results and find alternative methods to provide the functionality, or potentially neuter the application by removing Pushwoosh until a suitable replacement is found and integrated,” he suggests.
Not an Isolated Risk
Pushwoosh does not represent an isolated risk. “Many of the code authors also contributed to other projects. There is no chance this is an isolated incident, and not just from Russia,” says Pace.
Any time companies use open-source code or third-party applications, it comes with an element of risk.
“Knowing where the application, code, or service originates helps to secure the supply chain of a product and user data,” Houghton clarifies. “Not having accurate information about the origins of a vendor you rely on means you don’t have the whole picture, and worse still, the picture you do have is not correct. This means your attack surface model and any decisions you make regarding security are being made on inaccurate information.”
A company or organization’s decision regarding the use of Pushwoosh software all comes down to risk. “Likely this is a lot of noise without much value, however there are organizations that are very risk-averse. Every organization should understand the risks, if any, and act appropriately,” says Prewitt.