The official White House Android app has a cookie/paywall bypass injector, tracks your GPS every 4.5 minutes, and loads JavaScript from some guy's GitHub Pages.

Hacker News is a community-driven platform for sharing and discussing technology news, startups, and programming-related topics. Through user submissions and comments, Hacker News offers insights into emerging technology trends, industry developments, and entrepreneurial ventures. Readers can participate in discussions, share their insights, and stay informed about the latest advancements in technology and innovation.

Hacker News

A developer decompiled the official White House Android app using ADB and JADX, uncovering several concerning behaviors. The app injects JavaScript into every third-party website opened via its in-app browser to strip cookie consent dialogs, GDPR banners, and paywalls. It contains a full GPS tracking pipeline via the OneSignal SDK that polls location every 4.5 minutes in the foreground and 9.5 minutes in the background, despite an Expo plugin supposedly stripping location features. The app loads JavaScript from a personal GitHub Pages account for YouTube embeds, creating a supply chain risk. It also relies on multiple non-government third-party services including Elfsight, Mailchimp, Uploadcare, and Truth Social CDN. The build ships with development artifacts in production, has no certificate pinning, and profiles users extensively through OneSignal's tagging, SMS association, and cross-device tracking APIs.

I Decompiled the White House's New App

Supply Chain: Loading JS From Some Guy's GitHub Pages