An official Labour Party app downloaded by thousands of party members and MPs contained code written by a company with links to Russia.
Until recently, the Labour Conference app contained a software component made by Pushwoosh, a software company whose code helps companies manage mobile push alerts for apps.
Pushwoosh describes itself as a global company with its legal base in Delaware, US. However, Reuters alleged this week that the company was actually based in Russia, citing locally filed documents. It claimed the company’s headquarters were in Novosibirsk, Russia, which the company denies.
The US Centre for Disease Control removed Pushwoosh’s software from seven of its apps, after being approached by Reuters, citing security concerns. The US Army also removed Pushwoosh code from an app earlier this year.
Zach Edwards, a cyber security expert who examined Pushwoosh’s code within the Labour Conference app, told The Telegraph that the software represented a potential security risk to those who had installed it.
“You could create a tracking list of everyone who visited certain locations, then track their first most visited location, which is usually their home, and then the second most visited is usually where they work,” Mr Edwards said. “With three location hits (parliament, home, work), most serious analysts could identify exactly who they were tracking.”
There is no suggestion Pushwoosh extracted user data.
The Labour Conference app is used by members to navigate the party’s annual conference. It has been downloaded more than 10,000 times to Android phones and tablets. It is thought to have been installed a similar number of times on Apple devices.
Pushwoosh’s code is believed to have been removed from the Labour Conference app as part of an update in September.
A Labour spokesman said: “We take our responsibilities for data protection very seriously and at all times act in accordance with our legal requirements.”
Max Konev, the Russian boss of Pushwoosh, said: “Pushwoosh guarantees that none of the customers’ data has ever been transferred outside Germany and the USA to any country, including the Russian Federation. Furthermore, Pushwoosh has never been contacted by any government regarding customer data.”
He said in a blog post this week that Pushwoosh was “never owned by any company registered in the Russian Federation.”
“Pushwoosh Inc. used to outsource development parts of the product to the Russian company in Novosibirsk, mentioned in the article. However, in February 2022, Pushwoosh Inc. terminated the contract.”
Mr Konev describes his base as the Washington DC-Baltimore area on LinkedIn. He told Reuters: “I am proud to be Russian and I would never hide this.”
The issue of digital security in politics has grown in prominence in recent years, following accusations of foreign interference in both the 2016 US Presidential elections and the Brexit referendum.
Earlier this year the Conservative Party’s leadership election had to be paused while GCHQ experts examined the party’s online voting system to ensure it was not vulnerable to hacking or interference.
Parliament deleted its official TikTok account in August after a backlash from Conservative MPs, including former leader Iain Duncan Smith, over the social media video app’s Chinese ownership.
Jake Moore, global cybersecurity advisor at cyber security company Eset, said: “Recently there was guidance that MPs should not install the app TikTok on their phones after findings that so much data is being captured, so it would be advisable to follow suit with an app such as this.”
TikTok has denied links to the Chinese state and insists customer data is properly protected.
However, TikTok recently conceded that some user data could be accessed remotely from China.
Tony Adams, a senior threat researcher with GCHQ contractor Secureworks’ Counter Threat Unit, said risks created by apps create “an attractive surveillance opportunity for any intelligence agency.”
“For most individuals and organisations, the direct risk here is probably fairly small,” said Mr Adams. “However, organisations and individuals who might be of interest to the Russian state should consider following the advice given by the National Cyber Security Centre in March to reduce their reliance on Russian technology products or services.”
Founded in 2014, Pushwoosh is one of a large number of businesses offering ready-made software components and user profiling facilities to mobile app developers.
Mobile device user data is highly valued by the global advertising industry, which relies on information such as where users are located and what other files are on their phones for targeting online advertisements.
