The official White House Android app has a cookie/paywall bypass injector, tracks your GPS every 4.5 minutes, and loads JavaScript from some guy's GitHub Pages.
The White House launched a news app yesterday:
One wonders who would be stupid enough to download the whitehouse app. I imagine there are some people.
This blog post runs through different elements of the White House app's code and describes what it is doing and how it achieves this.
The official White House Android app:
- Injects JavaScript into every website you open through its in-app browser to hide cookie consent dialogs, GDPR banners, login walls, signup walls, upsell prompts, and paywalls.
- Has a full GPS tracking pipeline compiled in that polls every 4.5 minutes in the foreground and 9.5 minutes in the background, syncing lat/lng/accuracy/timestamp to OneSignal's servers.
- Loads JavaScript from a random person's GitHub Pages site (
lonelycpp.github.io) for YouTube embeds. If that account is compromised, arbitrary code runs in the app's WebView.- Loads third-party JavaScript from Elfsight (
elfsightcdn.com/platform.js) for social media widgets, with no sandboxing.- Sends email addresses to Mailchimp, images are served from Uploadcare, and a Truth Social embed is hardcoded with static CDN URLs. None of this is government infrastructure.
- Has no certificate pinning. Standard Android trust management.
- Ships with dev artifacts in production. A localhost URL, a developer IP (
10.4.4.109), the Expo dev client, and an exported Compose PreviewActivity.- Profiles users extensively through OneSignal - tags, SMS numbers, cross-device aliases, outcome tracking, notification interaction logging, in-app message click tracking, and full user state observation.
Specifically about the tracking in the app:
The tracking isn't unconditionally active. But the entire pipeline including permission strings, interval constants, fused location requests, capture logic, background scheduling, and the sync to OneSignal's API, all of them are fully compiled in and onesetLocationShared(true)call away from activating. ThewithNoLocationExpo plugin clearly did not strip any of this. Whether the JS layer currently callssetLocationShared(true)is something I can't determine from the native side alone, since the Hermes bytecode is compiled and the actual call site is buried in the 5.5 MB bundle. What I can say is that the infrastructure is there, ready to go, and the JS API to enable it is referenced in the bundle.
Just to play devil's advocate, they make it sound really scary, but how many apps do we use daily that violate the same security practices?
And if you thought to yourself, "well this is an official government app we expect better", well I have news for you!
None? Review your apps.
If it's none, that's good to know too. But just telling me to review my apps isn't helpful because not everyone has the ability to do that.
Its a problem, yes. So how do we fix it? There's the F-droid model where things get flagged up that are "anti-features", but I wonder how many people actually read it?
For a while, I was using Calyx, and the default install includes an fdroid that did something like this, but it seemed to find anti-features in pretty much every app. I didn't find it terribly useful.
i don't install many apps, so if I'm installing something it's because I'm pretty sure I need it. I really only want to know if there's a major problem.
Good points. When I was trying to find this app in the app store, I came across a TSA-Pre app and it made me wonder if anyone had done a similar audit of it...
meta apps are more scary
Not surprised. Still insane.
Is there an in app link to Kalshi for putting on those bets you already know about
should I care about this garbage ?
only insofar as it is fun to make fun of them.
I wonder though: why would you install something as dirty as a government app on something as nice as a personal device?
https://twiiit.com/WhiteHouse/status/2037701914607948013