A bit skeptical of how this article is written as it seems to be mostly written by AI. Out of curiosity, I downloaded the app and it doesn't request location permissions anywhere, despite the claims in the article.
I've noticed Claude Code is happy to decompile APKs for you but isn't very good at doing reachability analysis or figuring out complex control flows. It will treat completely dead code as important as a commonly invoked function.
Groxx 47 minutes ago [-]
The permissions snippet they show also doesn't include location, and you can't request location at runtime at all without declaring it there.
I'd verify all this stuff for myself, but Play won't install it in my phone so I can't really get the APK. Maybe because I use Graphene...? but I don't know all the ways they can restrict it, maybe it's something else (though for a pixel 9a it's rather strange if it's hardware based).
--- EDIT ---
To be specific / add what I can check, this is what my Play Store "about -> permissions" is showing:
Version 47.0.1 may request access to
Other:
run at startup
Google Play license check
view network connections
prevent phone from sleeping
show notifications
com.google.android.c2dm.permission.RECEIVE
control vibration
have full network access
which appears fairly normal, and does not include location, and I think Play includes runtime location requests there. Maybe there's a version-rollout happening, or device-type targeting?
frizlab 2 hours ago [-]
> it doesn't request location permissions anywhere, despite the claims in the article
The article does not claim the app requests the location. It claims it can do it with a single JS call.
esprehn 54 minutes ago [-]
It can request with a JS call. It can't passively collect it without you approving first. The article is written like calling that JS function will turn on location tracking without consent.
mattdeboard 38 minutes ago [-]
He explicitly says he can't determine it, but that the location tracking as configured will turn on once the user grants consent. All true statements.
How would you have written it differently
logifail 12 minutes ago [-]
"If the user chooses to opt-in and grants location-tracking permission, the app is then, and only then, able to track the user's location?"
dmitrygr 1 hours ago [-]
> The article does not claim the app requests the location. It claims it can do it with a single JS call.
so can ... any other code anywhere on a mobile device? That is how API work...
david_allison 50 minutes ago [-]
You need to state the permissions you *may* request/use in AndroidManifest.xml. This data can then be displayed to users pre-installation.
> The location permissions aren't declared in the AndroidManifest but requested at runtime
*shrug*, someone should dig deeper. It looks like the article may not match reality.
dijksterhuis 2 hours ago [-]
what version are you on?
from the iphone app store: version 47.0.1 - minor bug fixes - 34 minutes ago
while the parent posted 18 minutes ago
they may have patched the location stuff as part of the “minor bug fixes”?
filoleg 1 hours ago [-]
I have the iOS version from yesterday, haven't updated the app yet.
No location permission request prompting encountered. In system settings, where each app requesting location data is listed, it isn't present either.
2 hours ago [-]
SoftTalker 3 hours ago [-]
Looks like what you might expect in a standard marketing app from a consultancy. They probably hired someone to develop it, that shop used their standard app architecure which includes location tracking code and the other stuff.
somehnguy 3 hours ago [-]
Interesting. The site is nearly unusable to me unfortunately. '19 MBP w/ Chrome - scrolling stutters really bad
tredre3 57 minutes ago [-]
Scrolling is extremely poorly behaved on that page for me too, Firefox 149 Windows 10. Which is quite ironic coming from an article that mainly criticizes the web dev aspects of the app!
imalerba 2 hours ago [-]
Scrolling is so laggy it's annoying to follow on mobile (FF 151.0a1)
KomoD 1 hours ago [-]
Does it for me too, chrome on a thinkpad
amarcheschi 40 minutes ago [-]
I agree, the website of the original article is kinda terrible
The argument regarding no certificate pinning seems to miss that just because I might be on a network that MITM's TLS traffic doesn't mean my device trusts the random CA used by the proxy. I'd just get a TLS error, right?
subscribed 2 minutes ago [-]
Not if someone can issue the certificate signed by the CA your phone trust.
Imagine being in a cafe nearby, say, embassy of the certain north African country known for pervasive and wide espionage actions, which decides to hijack traffic in this cafe.
Or imagine living in the country where almost all of the cabinet is literally (officially) being paid by the propaganda/lobbying body of such country.
Or living int he country where lawful surveillance can happen without the jury signoff, but at a while of any police officer.
Maybe its not common but frequent enough.
thegagne 3 hours ago [-]
Not if you are part of an org that uses MDM and pushes their own CA to devices.
r4indeer 3 hours ago [-]
Ok, fair point. However, I would consider any MDM-enabled device fully "compromised" in the sense that the org can see and modify everything I do on it.
p2detar 2 hours ago [-]
An MDM orga cannot install a trusted CA on non-supervised (company owned) devices. By default on BYOD these are untrusted and require manual trust. It also cannot see everything on your device - certainly not your email, notes or files, or app data.
somebudyelse 1 hours ago [-]
[dead]
sitzkrieg 3 hours ago [-]
i assumed it was malware out the gate. yep
vineyardmike 3 hours ago [-]
> The official White House Android app has a cookie/paywall bypass injector, tracks your GPS every 4.5 minutes (9.5m when in background), and loads JavaScript from some guy's GitHub Pages (“lonelycpp” is acct, loads iframe viewer page).
Doesn’t seem too crazy for a generic react native app but of course coming from the official US government, it’s pretty wide open to supply chain attacks. Oh and no one should be continually giving the government their location. Pretty crazy that the official government is injecting JavaScript into web views to override the cookie banners and consent forms - it is often part of providing legal consent to the website TOS. But legal consent is not their strong suit I guess.
trimethylpurine 3 hours ago [-]
Aren't the banners for EU page visitors. I don't think there is a US law about this, is there?
bsimpson 29 minutes ago [-]
Some states have them. California has a similar one "Don't Sell My Personal Information."
xocnad 2 hours ago [-]
And when the app links off to an EU site? Nothing prevents an EU user from using this app. There are a variety of Trump enthusiasts, though I suspect less than there are here in the US.
subscribed 17 minutes ago [-]
They conduct a pervasive, hidden, persistent user tracking not only without consent, looking at the analysis, but also stripping the user from a chance of declining tracking on other sites.
I'm quite sure that's illegal.
az09mugen 1 hours ago [-]
Please don't give them ideas.
analog31 23 minutes ago [-]
>>> This is a government app loading code from a random person's GitHub Pages.
A random person with pronouns, no less. That means the code is “woke.”
ranzhh 36 minutes ago [-]
Are those references to 45 and 47 "Easter Eggs" to Trump's presidency number(s)? As in, forty-five-press (45th president) and Version 47.x.x (47th president), as well as the text message hotline (45470).
nine_k 1 hours ago [-]
> An official United States government app is injecting CSS and JavaScript into third-party websites to strip away their cookie consent dialogs, GDPR banners, login gates, and paywalls.
So at least it does something actually beneficial for the user! I wish it could go even further, the way Reader Mode in a browser would go.
oefrha 3 hours ago [-]
> An official United States government app is injecting CSS and JavaScript into third-party websites to strip away their cookie consent dialogs, GDPR banners, login gates, and paywalls.
Giving people a taste of web with Ublock Origin annoyance filters applied, refreshing. Can’t believe orange man regime is doing one thing right.
jruz 42 minutes ago [-]
Is this a surprise to anyone?
ThaFresh 2 hours ago [-]
nice work, so they can get your location and have ICE scoop you up if required
Arainach 3 hours ago [-]
"An official United States government app is injecting CSS and JavaScript into third-party websites to strip away their cookie consent dialogs, GDPR banners, login gates, and paywalls."
In their defense, this is the first thing the Trump admin has done that's unambiguously positive for ordinary people.
subscribed 38 minutes ago [-]
Indeed.
I'd love it somehow taken out of it and made available for the general public. Custom uBlock / Adblock filers will be probably the easiest.
ronsor 3 hours ago [-]
Yes, this is a major UX improvement considering I remove those with uBlock Origin anyway.
post-it 2 hours ago [-]
> An official United States government app is injecting CSS and JavaScript into third-party websites to strip away their cookie consent dialogs, GDPR banners, login gates, and paywalls.
Rare Trump administration W. I'm assuming there's one particular website they open in the app that shows a cookie popup, and this was a dev's heavy-handed way of making that go away.
replwoacause 3 hours ago [-]
lol honestly all of this tracks given the current administration. i'm actually surprised it isn't worse. but yeah, amateur hour for sure.
jfengel 2 hours ago [-]
"Amateur hour" is basically their theme. They were swept in on a wave of distrust for people who know what they're talking about. They were elected to tear down Chesterton's fence, even (and especially) the parts holding in the face-eating leopards.
To mix the metaphors further, they (the politicians and their supporters) fancy themselves the kind to dream of things that never were and ask why not. Why not have a war in Iran? You won't know until you give it a try.
somebudyelse 1 hours ago [-]
[dead]
trimethylpurine 3 hours ago [-]
I don't see what the fuss is about. This all looks pretty standard. I use random people's stuff all the time. Isn't that the point of open source?
Did you find something malicious in the random GitHub repo? If so, you should write an article about that instead.
kevinsync 2 hours ago [-]
Using somebody's stuff is different than hot-linking directly to a hosted version of it, even just from the perspective that dude could delete it at any time and break the whole app.
xocnad 2 hours ago [-]
All good for you to make those choices for yourself. Your response seems to be show ignorance of all the recent supply chain attacks that have occurred. You can imagine that given the situation with the shoe gifts that many high up members of the administration and cabinet members are running this app.
input_sh 1 hours ago [-]
It's always a better idea to make a local copy of it.
Imagine they're downloading a project directly from your GitHub account. Even if you're not doing anything malicious and have no intention of doing anything malicious even after you've been aware of this, now all of a sudden your GitHub account / email is a huge target for anyone that wants to do something malicious.
rendx 2 hours ago [-]
I don't know if you're being serious or not, but in case you are: There is a difference between (re)using other people's open sourced code, hopefully reviewed, and giving anyone in control of the third party repository the ability to run arbitrary code on your user's devices. Even if the "random GitHub repo" doesn't contain any malicious code right now, it may well contain some tomorrow.
rpdillon 1 hours ago [-]
The dependencies weren't vendored, meaning their behavior can change at any time if a malicious actor gains control of that third-party repo.
This is bad for security.
colesantiago 3 hours ago [-]
This is a pretty standard decomplation of an Android app.
I am sure if you decompile other apps used by hundreds of thousands of people, you would find all sorts of tracking in there.
Thanks for helping the White House improve their app security for free though.
yellow_lead 3 hours ago [-]
Even in the apps I've worked on, you won't find us loading arbitrary JS from a random GitHub user's account.
colesantiago 3 hours ago [-]
> Even in the apps I've worked on, you won't find us loading arbitrary JS from a random GitHub user's account.
You'd be surprised how many apps inside have hacks and workarounds because deadlines.
crtasm 3 hours ago [-]
Let's see if anyone can give an example of such a high profile app doing something similar.
flutas 2 hours ago [-]
I've worked on a three letter sports orgs (one of NFL, NBA, NHL, etc) Android app.
I always joke that we could probably tell you what color and type your underwear is on any random day with how much data is siphoned off your phone.
As for loading random JS, yeah also seen that done that before. "Partner A wants to integrate their SDK in our webviews." -> "Partner A" SDK is just loading a JS chunk in that can do whatever they want in webviews, including load more files.
Don't get me started on the sports betting SDKs...
Though we do have a Security team constantly scanning SDKs and the endpoints for changes in situations like this.
jasonlotito 2 hours ago [-]
> As for loading random JS, yeah also seen that done that before.
Partner A is not random JS. The assumption there is 1) you have some official signed agreement with them and 2) you've done your due diligence to ensure you can use them in this way.
It's not just some person's GH repo who can freely change that file to whatever they want.
Hotlinking is as old as the internet, and a well-worn security threat.
andix 2 hours ago [-]
I would've expected worse. :)
longislandguido 2 hours ago [-]
The comments in here are pretty rich. If this was any other app, everyone would be screaming about "why are you being mean to the author", flagging posts left and right.
rpdillon 1 hours ago [-]
Nah, I suspect any app that's loading arbitrary JS from somebody's random GitHub page would get called out for that behavior. We're getting supply chain attacks daily.
tclancy 39 minutes ago [-]
That is some impressive willful ignorance. “If it was anybody else threatening to beat this guy up for what he was saying, you’d probably praise them. But a cop does it one time and …”
mattdeboard 34 minutes ago [-]
Are you upset people are being critical of a shabbily run government program?
longislandguido 20 minutes ago [-]
> government program
Is there a cabinet member for the Department of Apps?
It's a throwaway app, probably written by someone that posts here.
Rendered at 19:05:39 GMT+0000 (Coordinated Universal Time) with Vercel.
I've noticed Claude Code is happy to decompile APKs for you but isn't very good at doing reachability analysis or figuring out complex control flows. It will treat completely dead code as important as a commonly invoked function.
I'd verify all this stuff for myself, but Play won't install it in my phone so I can't really get the APK. Maybe because I use Graphene...? but I don't know all the ways they can restrict it, maybe it's something else (though for a pixel 9a it's rather strange if it's hardware based).
--- EDIT ---
To be specific / add what I can check, this is what my Play Store "about -> permissions" is showing:
which appears fairly normal, and does not include location, and I think Play includes runtime location requests there. Maybe there's a version-rollout happening, or device-type targeting?The article does not claim the app requests the location. It claims it can do it with a single JS call.
How would you have written it differently
so can ... any other code anywhere on a mobile device? That is how API work...
From the (limited) article, it doesn't seem they do this: https://thereallo.dev/blog/decompiling-the-white-house-app#p...
----
EDIT: I'm mistaken. From the Play Store[0] it has access to
* approximate location (network-based)
* precise location (GPS and network-based)
[0] https://play.google.com/store/apps/details?id=gov.whitehouse...
This seems to disagree with:
> The location permissions aren't declared in the AndroidManifest but requested at runtime
*shrug*, someone should dig deeper. It looks like the article may not match reality.
from the iphone app store: version 47.0.1 - minor bug fixes - 34 minutes ago
while the parent posted 18 minutes ago
they may have patched the location stuff as part of the “minor bug fixes”?
No location permission request prompting encountered. In system settings, where each app requesting location data is listed, it isn't present either.
Firefox 148.0.2 (Build #2016148295), 15542f265e9eb232f80e52c0966300225d0b1cb7 GV: 148.0.2-20260309125808 AS: 148.0.1 OS: Android 14
Imagine being in a cafe nearby, say, embassy of the certain north African country known for pervasive and wide espionage actions, which decides to hijack traffic in this cafe.
Or imagine living in the country where almost all of the cabinet is literally (officially) being paid by the propaganda/lobbying body of such country.
Or living int he country where lawful surveillance can happen without the jury signoff, but at a while of any police officer.
Maybe its not common but frequent enough.
Doesn’t seem too crazy for a generic react native app but of course coming from the official US government, it’s pretty wide open to supply chain attacks. Oh and no one should be continually giving the government their location. Pretty crazy that the official government is injecting JavaScript into web views to override the cookie banners and consent forms - it is often part of providing legal consent to the website TOS. But legal consent is not their strong suit I guess.
I'm quite sure that's illegal.
A random person with pronouns, no less. That means the code is “woke.”
So at least it does something actually beneficial for the user! I wish it could go even further, the way Reader Mode in a browser would go.
Giving people a taste of web with Ublock Origin annoyance filters applied, refreshing. Can’t believe orange man regime is doing one thing right.
In their defense, this is the first thing the Trump admin has done that's unambiguously positive for ordinary people.
I'd love it somehow taken out of it and made available for the general public. Custom uBlock / Adblock filers will be probably the easiest.
Rare Trump administration W. I'm assuming there's one particular website they open in the app that shows a cookie popup, and this was a dev's heavy-handed way of making that go away.
To mix the metaphors further, they (the politicians and their supporters) fancy themselves the kind to dream of things that never were and ask why not. Why not have a war in Iran? You won't know until you give it a try.
Did you find something malicious in the random GitHub repo? If so, you should write an article about that instead.
Imagine they're downloading a project directly from your GitHub account. Even if you're not doing anything malicious and have no intention of doing anything malicious even after you've been aware of this, now all of a sudden your GitHub account / email is a huge target for anyone that wants to do something malicious.
This is bad for security.
I am sure if you decompile other apps used by hundreds of thousands of people, you would find all sorts of tracking in there.
Thanks for helping the White House improve their app security for free though.
You'd be surprised how many apps inside have hacks and workarounds because deadlines.
I always joke that we could probably tell you what color and type your underwear is on any random day with how much data is siphoned off your phone.
As for loading random JS, yeah also seen that done that before. "Partner A wants to integrate their SDK in our webviews." -> "Partner A" SDK is just loading a JS chunk in that can do whatever they want in webviews, including load more files.
Don't get me started on the sports betting SDKs...
Though we do have a Security team constantly scanning SDKs and the endpoints for changes in situations like this.
Partner A is not random JS. The assumption there is 1) you have some official signed agreement with them and 2) you've done your due diligence to ensure you can use them in this way.
It's not just some person's GH repo who can freely change that file to whatever they want.
Hotlinking is as old as the internet, and a well-worn security threat.
Is there a cabinet member for the Department of Apps?
It's a throwaway app, probably written by someone that posts here.