Post #74242 by PucksFool on the US Policy board

Halls of Shrewd'm / US Policy

Unthreaded | Threaded | Whole Thread (5)

Post New | Post Reply | Report Post | Recommend It!

No. of Recommendations: 6

I have no idea if this is true. I do not have the knowledge or skills to verify the claims in this article. I am just passing it on to the people who might be inclined to download an app produced by the White House.

https://blog.thereallo.dev/blog/decompiling-the-wh...

I Decompiled the White House's New App

The official White House Android app has a cookie/paywall bypass injector, tracks your GPS every 4.5 minutes, and loads JavaScript from some guy's GitHub Pages.

What the App Actually Does

The White House released an app on the App Store and Google Play. They posted a blog about it. "Unparalleled access to the Trump Administration."
It took a few minutes to pull the APKs with ADB, and threw them into JADX.
Here is everything I found.

There are a lot of technical details in the article. Here's the summary at the end.

The official White House Android app:

1. Injects JavaScript into every website you open through its in-app browser to hide cookie consent dialogs, GDPR banners, login walls, signup walls, upsell prompts, and paywalls.

2. Has a full GPS tracking pipeline compiled in that polls every 4.5 minutes in the foreground and 9.5 minutes in the background, syncing lat/lng/accuracy/timestamp to OneSignal's servers.

3. Loads JavaScript from a random person's GitHub Pages site (lonelycpp.github.io) for YouTube embeds. If that account is compromised, arbitrary code runs in the app's WebView.

4. Loads third-party JavaScript from Elfsight (elfsightcdn.com/platform.js) for social media widgets, with no sandboxing.

5. Sends email addresses to Mailchimp, images are served from Uploadcare, and a Truth Social embed is hardcoded with static CDN URLs. None of this is government infrastructure.

6. Has no certificate pinning. Standard Android trust management.

7. Ships with dev artifacts in production. A localhost URL, a developer IP (10.4.4.109), the Expo dev client, and an exported Compose PreviewActivity.

8. Profiles users extensively through OneSignal - tags, SMS numbers, cross-device aliases, outcome tracking, notification interaction logging, in-app message click tracking, and full user state observation.

Is any of this illegal? Probably not. Is it what you'd expect from an official government app? Probably not either.

Post New | Post Reply | Report Post | Recommend It!

Print the post

Unthreaded | Threaded | Whole Thread (5)

Prev | Next

Announcements

US Policy FAQ

Contact Shrewd'm
Contact the developer of these message boards.

A community forum supporting civilized, and highly helpful, self-educating investors that come together for Shrewdness and merry spirits. These message boards closely follow the look and feel of the old message boards at boards.fool.com prior to the boards redirected to discussion.fool.com. Shrewd'm is not affiliated with the comprehensive and excellent investment website, The Motley Fool (TMF), in any way. The Shrewd commmunity here has owed, and continues to owe, gratitude to The Motley Fool for nurturing a culture of jovial irreverence towards Wall St, and that tradition will continue here.