Be nice to people. This changes the whole environment.
- Manlobbi
Halls of Shrewd'm / US Policy
No. of Recommendations: 6
I have no idea if this is true. I do not have the knowledge or skills to verify the claims in this article. I am just passing it on to the people who might be inclined to download an app produced by the White House.
https://blog.thereallo.dev/blog/decompiling-the-wh...
I Decompiled the White House's New App
The official White House Android app has a cookie/paywall bypass injector, tracks your GPS every 4.5 minutes, and loads JavaScript from some guy's GitHub Pages.
What the App Actually Does
The White House released an app on the App Store and Google Play. They posted a blog about it. "Unparalleled access to the Trump Administration."
It took a few minutes to pull the APKs with ADB, and threw them into JADX.
Here is everything I found.There are a lot of technical details in the article. Here's the summary at the end.
The official White House Android app:
1. Injects JavaScript into every website you open through its in-app browser to hide cookie consent dialogs, GDPR banners, login walls, signup walls, upsell prompts, and paywalls.
2. Has a full GPS tracking pipeline compiled in that polls every 4.5 minutes in the foreground and 9.5 minutes in the background, syncing lat/lng/accuracy/timestamp to OneSignal's servers.
3. Loads JavaScript from a random person's GitHub Pages site (lonelycpp.github.io) for YouTube embeds. If that account is compromised, arbitrary code runs in the app's WebView.
4. Loads third-party JavaScript from Elfsight (elfsightcdn.com/platform.js) for social media widgets, with no sandboxing.
5. Sends email addresses to Mailchimp, images are served from Uploadcare, and a Truth Social embed is hardcoded with static CDN URLs. None of this is government infrastructure.
6. Has no certificate pinning. Standard Android trust management.
7. Ships with dev artifacts in production. A localhost URL, a developer IP (10.4.4.109), the Expo dev client, and an exported Compose PreviewActivity.
8. Profiles users extensively through OneSignal - tags, SMS numbers, cross-device aliases, outcome tracking, notification interaction logging, in-app message click tracking, and full user state observation.
Is any of this illegal? Probably not. Is it what you'd expect from an official government app? Probably not either.
No. of Recommendations: 2
Not sure how trustworthy Gemini AI, but it confirms most of this.
More reason to not join the cult.
No. of Recommendations: 2
I figure that most of the people I interact with here are probably safe. I made the post for those I choose not to.
No. of Recommendations: 2
Not sure how trustworthy Gemini AI, but it confirms most of this.
Gemini is my go-to AI. Especially its "Thinking" mode, though the default "Fast" mode is already pretty darn good. In either case though, it has failed to provide completely correct Perl code that works in general cases. But least it admits it when I point out the errors! So, as with apps from this WH, "Caveat Emptor" still applies!
No. of Recommendations: 3
Is any of this illegal? Probably not. Is it what you'd expect from an official government app? Probably not either.
Is any of this covert fkucery highly likely from the Trump administration? Absolutely!
