Mobile app developers often rely on third-party pre-built code to provide specific functionality. This code comes in the form of a software development kit, or SDK for short, and many apps come with multiple SDKs. Pushwoosh is a company that develops and sells such an SDK. The Pushwoosh SDK registers users and tracks their behavior, including precise geolocation data, to collect usage statistics and send custom push notifications tailored to user activity.
Pushwoosh also takes care of storing and processing all the data collected from the apps that include its SDK. Given the potentially sensitive user information that is collected by Pushwoosh, the company’s identity and location are important pieces of information for those considering integrating the Pushwoosh SDK into their apps. However, Pushwoosh appears to have obscured this information with conflicting claims.
As it turns out, Pushwoosh is registered with the Russian government as a software company with headquarters in Novosibirsk, where around forty employees do their work. The Maryland home listed in the company’s regulatory filings is owned by a Russian friend of Pushwoosh founder Max Konev. The home’s owner told Reuters that he had nothing to do with Pushwoosh and simply agreed to allow the company to receive mail at his address. According to Konev, this arrangement to “receive business correspondence” began at his friend’s house during the COVID-19 pandemic.
Konev also told Reuters that the company’s new operational base is in Thailand. However, Reuters received no evidence for this claim and could not find a pushwoosh in the Thai business register. Reuters was able to determine that the two Washington, DC-based executives, Mary Brown and Noah O’Shea, are not real people but fakes created on LinkedIn. The picture displayed on Mary Brown’s profile is actually a picture taken by a photographer in Moscow, Russia of a dance teacher living in Austria. Reuters contacted the teacher, who said she didn’t know how her picture ended up on LinkedIn.
After confirming the LinkedIn profiles were fake, Konev told Reuters that a marketing agency hired by Pushwoosh in 2018 created the accounts in a social media campaign to sell Pushwoosh. Konev explained that the accounts were not created to hide the falsification that Pushwoosh is based in Russia. On the contrary, Konev told Reuters, “I’m proud to be Russian and I would never hide that.” Yet Pushwoosh has not admitted in any of its eight annual filings with the Delaware Secretary of State that it is a Russia-based company acts. By not acknowledging this fact, Pushwoosh may have both violated state law and deceived its customers.
In March of this year, the US Army stopped using an app with the Pushwoosh SDK, citing “security issues”. The app in question was an information portal used by troops at the Fort Irwin National Training Center. Bryce Dubee, a US Army spokesman, stated that the app did not connect to the Army network and its use resulted in no “operational data loss.”
Other organizations and companies told Reuters that since discovering Pushwoosh is a Russia-based company, they have removed the Pushwoosh SDK from their apps. While the company’s founder has denied any connection between the Russian government and Pushwoosh, the fact that the company’s SDK collects user behavior data and stores it on servers controlled by a Russia-based company is a cause for concern. Like China, the Russian government appears to have no qualms about forcing local companies to hand over user data.