I Decompiled the White House's New App

A developer decompiled the official White House Android app using ADB and JADX, uncovering several concerning behaviors. The app injects JavaScript into every third-party website opened via its in-app browser to strip cookie consent dialogs, GDPR banners, and paywalls. It contains a full GPS tracking pipeline via the OneSignal SDK that polls location every 4.5 minutes in the foreground and 9.5 minutes in the background, despite an Expo plugin supposedly stripping location features. The app loads JavaScript from a personal GitHub Pages account for YouTube embeds, creating a supply chain risk. It also relies on multiple non-government third-party services including Elfsight, Mailchimp, Uploadcare, and Truth Social CDN. The build ships with development artifacts in production, has no certificate pinning, and profiles users extensively through OneSignal's tagging, SMS association, and cross-device tracking APIs.