![Headline: I decompiled the White House's New App
Body text:
RECAP
The official White House Android app:
1) Injects JavaScript into every website you open through its in-app browser to hide cookie consent dialogs, GDPR banners, login walls, signup walls, upsell prompts, and paywalls.
2) Has a full GPS tracking pipeline compiled in that polls every 4.5 minutes in the foreground and 9.5 minutes in the background, syncing lat/lng/accuracy/timestamp to OneSignal's servers.
3) Loads JavaScript from a random person's GitHub Pages site (lonelycpp.github.io) for YouTube embeds. If that account is compromised, arbitrary code runs in the app's WebView.
4) Loads third-party JavaScript from Elfsight (elfsightcdn.com/platform.js) for social media widgets, with no sandboxing.
5) Sends email addresses to Mailchimp, images are served from Uploadcare, and a Truth Social embed is hardcoded with static CDN URLs. None of this is government infrastructure.
[Continued in next image]](https://cdn.bsky.app/img/feed_thumbnail/plain/did:plc:p5q4hafeyexdt3ndi4ttgomc/bafkreigvivjkjrz6rvamon52qycehrsuz2kcqcwwrbc5kdbhyny5jc7rpq)
Headline: I decompiled the White House's New App Body text: RECAP The official White House Android app: 1) Injects JavaScript into every website you open through its in-app browser to hide cookie consent dialogs, GDPR banners, login walls, signup walls, upsell prompts, and paywalls. 2) Has a full GPS tracking pipeline compiled in that polls every 4.5 minutes in the foreground and 9.5 minutes in the background, syncing lat/lng/accuracy/timestamp to OneSignal's servers. 3) Loads JavaScript from a random person's GitHub Pages site (lonelycpp.github.io) for YouTube embeds. If that account is compromised, arbitrary code runs in the app's WebView. 4) Loads third-party JavaScript from Elfsight (elfsightcdn.com/platform.js) for social media widgets, with no sandboxing. 5) Sends email addresses to Mailchimp, images are served from Uploadcare, and a Truth Social embed is hardcoded with static CDN URLs. None of this is government infrastructure. [Continued in next image]
![[Continued from lrevious image]
6) Has no certificate pinning. Standard Android trust management.
7) Ships with dev artifacts in production. A localhost URL, a developer IP (10.4.4.109), the Expo dev client, and an exported Compose PreviewActivity.
8) Profiles users extensively through OneSignal - tags, SMS numbers, cross-device aliases, outcome tracking, notification interaction logging, in-app message click tracking, and full user state observation.
Is any of this illegal? Probably not. Is it what you'd expect from an official government app? Probably not either.](https://cdn.bsky.app/img/feed_thumbnail/plain/did:plc:p5q4hafeyexdt3ndi4ttgomc/bafkreic4ixuquz7uzs2yhid5hz2xzduhrzz4m4rk5pcvmnrytnth2pzbmy)
[Continued from lrevious image] 6) Has no certificate pinning. Standard Android trust management. 7) Ships with dev artifacts in production. A localhost URL, a developer IP (10.4.4.109), the Expo dev client, and an exported Compose PreviewActivity. 8) Profiles users extensively through OneSignal - tags, SMS numbers, cross-device aliases, outcome tracking, notification interaction logging, in-app message click tracking, and full user state observation. Is any of this illegal? Probably not. Is it what you'd expect from an official government app? Probably not either.
Coming as no surprise from this corrupt administration, the White House app is #spying on you and is a total #grift. Full details here:
blog.thereallo.dev/blog/decompi...
#ITsecurity #apps #smartphones #malware #WhiteHouse #Trump #corruption #privacy #InvasionOfPrivacy #MassSurveillance #dev
