Labour app had code written by company with links to Russia
Download to help party members navigate its conference contained software from Pushwoosh
AN OFFICIAL Labour Party app downloaded by thousands of members and MPs contained code written by a company with links to Russia.
Until recently, the Labour Conference app contained a software component made by Pushwoosh, a company whose code helps businesses manage mobile push alerts for apps.
Pushwoosh describes itself as a global company with a legal base in Delaware, US. However, Reuters alleged the company was based in Russia, citing locally filed documents. It claimed the company’s HQ was in Novosibirsk, Russia, which the company denies.
The US Centre for Disease Control removed Pushwoosh’s software from seven of its apps, after being approached by Reuters, citing security concerns. The US Army also removed Pushwoosh code from an app.
Zach Edwards, a cyber-security expert who examined Pushwoosh’s code within the Labour Conference app, told The Sunday Telegraph that the software represented a potential security risk to those who had installed it.
“You could create a tracking list of everyone who visited certain locations, then track their most visited location, which is usually their home, and then the second most visited is usually where they work,” Mr Edwards said. “With three location hits (Parliament, home, work) most serious analysts could identify exactly who they were tracking.”
There is no suggestion Pushwoosh extracted user data.
The Labour Conference app is used by members to navigate the party’s annual event. It has been downloaded more than 10,000 times to Android phones and tablets. It is thought to have been installed a similar number of times on Apple devices. Pushwoosh’s code is believed to have been removed from the Labour Conference app as part of an update in September. A Labour spokesman said: “We take our responsibilities for data protection very seriously and at all times act in accordance with our legal requirements.”
Max Konev, the Russian boss of Pushwoosh, said: “Pushwoosh guarantees none of the customers’ data has been transferred outside Germany and the USA to any country, including the Russian Federation. Furthermore, Pushwoosh has never been contacted by any government regarding customer data.”
He said in a blog post this week that Pushwoosh was “never owned by any company registered in the Russian Federation”. He added: “Pushwoosh used to outsource development parts of the product to the Russian company in Novosibirsk, mentioned in the article. However, in February 2022, Pushwoosh terminated the contract.”
Mr Konev describes his base as the Washington DC-Baltimore area on LinkedIn. He told Reuters: “I am proud to be Russian and I would never hide this.”
The issue of digital security in politics has grown in prominence in recent years, following accusations of foreign interference in both the 2016 US presidential elections and the Brexit referendum.
Earlier this year the Conservative Party’s leadership election had to be paused while GCHQ experts examined the party’s online voting system to ensure it was not vulnerable to hacking or interference.
Parliament deleted its official TikTok account in August after a backlash from Conservative MPs, including former leader Sir Iain Duncan Smith, over the social media video app’s Chinese ownership.
Jake Moore, of cyber-security company Eset, said: “Recently there was guidance that MPs should not install the app TikTok on their phones after findings that so much data is being captured, so it would be advisable to follow suit with an app such as this.”
TikTok has denied links to the Chinese state and insists customer data is properly protected.
‘With three location hits – Parliament, home, work – most serious analysts could ID who they were tracking’