WASHINGTON — An application approved by the U.S. Army that contained code from a Russian company harvested no information from the more than 1,000 people that downloaded it, according to the service, which has since discontinued its use.
Army spokesperson Bryce Dubee told C4ISRNET and Army Times there were “no indications” of a data breach tied to the National Training Center app, which was developed in 2016 by former training center personnel to provide installation news and information, such as phone numbers.
Some of the app’s code was freely furnished by Pushwoosh, a company that went to extreme lengths to hide its Russian roots, according to a Reuters investigation.
Dubee on Nov. 22 said the “push notification capability provided by Pushwoosh could not access devices on which the app was installed.” He told Reuters the app did not connect to the Army network and the service suffered no “operational loss of data.”
An Army spokesperson speaking on background to discuss security assessments said the app’s push notifications feature — which included the Russian-supplied code — was never activated.
Pushwoosh is one of many software development companies that offer third-party coding to those seeking off-the-shelf functionality for their projects. The National Training Center, at Fort Irwin in California, did not know Pushwoosh assets were embedded in the app, according to Dubee, and was unaware of the company and its Russian ownership more broadly.
Officials in Washington have looked askance at Moscow’s activities in the digital domain, where hackers are used to project military force, meddle in foreign affairs and steal sensitive data.
U.S. agencies in February warned that Russian state-sponsored hackers targeted defense contractors for years, absconding with information that provides “significant insight” into weapons development, communications infrastructure and information technology. The U.K. National Cyber Security Centre a month later advised organizations to reconsider the risks of Russian products in their networks or supply chain.
Russia has historically denied accusations of cyber malfeasance.
Pushwoosh founder Max Konev told Reuters his company “has no connection with the Russian government of any kind.” Cybersecurity experts told the news outlet that Russia’s intelligence services may be able to compel companies to turn over their data, no matter where they are stored.
What’s next for Army apps?
The National Training Center app — once available on Apple and Google stores, patronized by millions and millions of users — fell out of use in 2019 due to personnel change and other routine factors. The Army fully axed the app earlier this year, after analysis determined it was not in compliance, not in use and not updatable.
The app would not have been approved today because of more-stringent cybersecurity practices and regulations dictating the use of paid software versus free software, according to Dubee. He did not say if or when the Army notified other entities about the Pushwoosh issue.
To safely develop apps, the Army established what is known as CReATE, a cloud-based platform. Dubee said the accredited system “enables commands across the Army to build secure mobile apps,” and that the development process follows “rigorous testing and continuous cybersecurity monitoring.”
The Army Software Factory, a Texas-based program designed to produce uniformed coders for the service, used CReATE to build more than a dozen apps. Since the factory’s launch in 2020, its soldiers have helped automate things from air assault mission planning to individual deployment applications for Guard and Reserve troops.
Colin Demarest is a reporter at C4ISRNET, where he covers military networks, cyber and IT. Colin previously covered the Department of Energy and its National Nuclear Security Administration — namely Cold War cleanup and nuclear weapons development — for a daily newspaper in South Carolina. Colin is also an award-winning photographer.
Davis Winkie covers the Army for Military Times. He studied history at Vanderbilt and UNC-Chapel Hill, and served five years in the Army Guard. His investigations earned the Society of Professional Journalists' 2023 Sunshine Award and consecutive Military Reporters and Editors honors, among others. Davis was also a 2022 Livingston Awards finalist.