{"id":20601,"date":"2022-11-14T10:30:10","date_gmt":"2022-11-14T18:30:10","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2022\/11\/14\/news-14334\/"},"modified":"2022-11-14T10:30:10","modified_gmt":"2022-11-14T18:30:10","slug":"news-14334","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2022\/11\/14\/news-14334\/","title":{"rendered":"Do you really know what\u2019s inside your iOS and Android apps?"},"content":{"rendered":"

<\/p>\n

It\u2019s time to audit your code, as it appears that some no\/low code features used in iOS or Android apps may not be as secure as you thought<\/a>. That\u2019s the big take away from a report explaining that disguised Russian software is being used in apps from the US Army, CDC, the UK Labour party, and other entities.<\/p>\n

What\u2019s at issue is that code developed by a company called Pushwoosh has been deployed within thousands of apps from thousands of entities. These include the Centers for Disease Control and Prevention (CDC), which claims it was led to believe\u00a0Pushwoosh<\/a> was based in Washington when the developer is, in fact, based in Siberia, Reuters\u00a0explains<\/a>. A visit to the Pushwoosh Twitter feed<\/a> shows the company claiming to be based in Washington, DC.<\/p>\n

The company provides code and data processing support that can be used within apps to profile what smartphone app users do online and send personalized notifications. CleverTap, Braze, One Signal, and Firebase offer similar services. Now, to be fair, Reuters has no evidence the data collected by the company has been abused. But the fact the firm is based in Russia is problematic, as information is subject to local data law, which could pose a security risk.<\/p>\n

It may not, of course, but it’s unlikely any developer involved in handling data that could be viewed as \u00a0sensitive will want to take that risk.<\/p>\n

While there are lots of reasons to be suspicious of Russia at this time, I\u2019m certain every nation has its own third-party component developers that may or may not put user security first. The challenge is finding out which do, and which don\u2019t.<\/p>\n

The reason code such as this from Pushwoosh gets used in applications is simple: it\u2019s about money and development time. Mobile application development can get expensive, so to reduce development costs some apps will use off-the-shelf code from third parties for some tasks. Doing so reduces costs, and, given we\u2019re moving quite swiftly toward no code\/low code development environments, we\u2019re going to see more of this kind of modelling-brick approach to app development.<\/p>\n

That\u2019s fine, as modular code can deliver huge benefits to apps, developers, and enterprises, but it does highlight a problem any enterprise using third-party code must examine.<\/p>\n

To what extent is the code secure? What data is gathered using the code, where does that information go, and what power does the end user (or enterprise whose name is on the app) possess to protect, delete, or manage that data?<\/p>\n

There are other challenges: When using such code, is it updated regularly? Does the code itself remain secure? What depth of rigor is applied when testing the software? Does the code embed any undisclosed script tracking code? What encryption is used and where is data stored?<\/p>\n

The problem is that in the event the answer to any of these questions is \u201cdon\u2019t know” or \u201cnone,” then the data is at risk.\u00a0This underlines the need for robust security assessments around the use of any modular component code.<\/p>\n

Data compliance teams must test this stuff rigorously \u2014 “bare minimum” tests aren\u2019t enough.<\/p>\n

I\u2019d also argue that an approach in which any data that is gathered is anonymized makes a lot of sense. That way, should any information leak, the chance of abuse is minimized. (The danger of personalized technologies that lack robust information protection in the middle of the exchange is that this data, once collected, becomes a security risk.)<\/p>\n

Surely the implications of Cambridge Analytica illustrate why obfuscation is a necessity in a connected age?<\/p>\n

Apple certainly seems to understand this risk<\/a>.\u00a0Pushwoosh is used in around 8,000 iOS and Android apps. It is important to note that the developer says the data it gathers is not stored in Russia, but this may not protect it from being exfiltrated, experts cited by Reuters explain.<\/p>\n

In a sense, it doesn\u2019t matter much, as security is based on pre-empting risk, rather than waiting for danger to happen<\/a>. Given the vast numbers of enterprises that go bust after being hacked, it\u2019s better to be safe than sorry in security policy.<\/p>\n

That’s why every enterprise whose dev teams rely on off-the-shelf code should ensure the third-party code is compatible with company security policy.\u00a0Because it\u2019s your code, with your company name on it, and any abuse of that data because of insufficient compliance testing will be your problem.<\/p>\n

Please follow me on\u00a0Twitter<\/a>, or join me in the\u00a0AppleHolic\u2019s bar & grill<\/a>\u00a0and\u00a0Apple Discussions<\/a>\u00a0groups on MeWe. Also, now on Mastodon<\/a>.<\/em><\/p>\n

http:\/\/www.computerworld.com\/category\/security\/index.rss<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

<\/p>\n

\n
\n

It\u2019s time to audit your code, as it appears that some no\/low code features used in iOS or Android apps may not be as secure as you thought<\/a>. That\u2019s the big take away from a report explaining that disguised Russian software is being used in apps from the US Army, CDC, the UK Labour party, and other entities.<\/p>\n

When Washington becomes Siberia<\/strong><\/h2>\n

What\u2019s at issue is that code developed by a company called Pushwoosh has been deployed within thousands of apps from thousands of entities. These include the Centers for Disease Control and Prevention (CDC), which claims it was led to believe\u00a0Pushwoosh<\/a> was based in Washington when the developer is, in fact, based in Siberia, Reuters\u00a0explains<\/a>. A visit to the Pushwoosh Twitter feed<\/a> shows the company claiming to be based in Washington, DC.<\/p>\n

To read this article in full, please click here<\/a><\/p>\n<\/section>\n<\/article>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[11062,10643],"tags":[10462,2211,10480,10554,714,24580,14247],"class_list":["post-20601","post","type-post","status-publish","format-standard","hentry","category-computerworld","category-independent","tag-android","tag-apple","tag-ios","tag-mobile","tag-security","tag-small-and-medium-business","tag-software-development"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/20601","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=20601"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/20601\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=20601"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=20601"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=20601"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}