I decompiled the White House's new app
Comments
SoftTalker
iAMkenough
If only the US Digital Service still existed as an agency to do this right. Too bad it's now been hollowed out to be DOGE, subject to multiple active lawsuits.
What are your taxes paying for?
thegreatpeter
have you seen some of the websites they've developed? they're actually quite nice. maybe joe hasn't gotten to mobile yet
edit: oh wait, thats https://ndstudio.gov/
a11yauditfailed
"Accessibility Matters" they chortle between giant images of text https://ndstudio.gov/posts/accessibility-matters
jclardy
The location tracking code is within the OneSignal SDK - which is just a standard messaging platform for sending emails/push messages to users. It doesn't have some magical permissions bypass, the app itself has to request it.
charcircuit
And r8 which does tree shaking to remove dead code is not smart enough to understand react native so it won't strip it out without extra work from the developer.
Cross referencing these different things in the article to other apps that exist was my first thought as these seem pretty generic and probably reused from somewhere else.
miki123211
The Polish covid quarantine app was famously adapted from some app for store inspectors or something, as it already implemented most of the required functionalities, like asking for photos via push at random times, sending them along with a location etc.
They likely did a search-and-replace on the brand name, so you had strings like 'your invoices from Home Quarantine inc' in the code.
Not a bad thing per se, getting the app out the door asap was definitely a priority in that project for understandable reasons, but funny nonetheless.
halJordan
That's exactly what 45Press is. They won a 1.5mil contract to spit out this tripe (tbf the contract includes other wh.gov support).
irishcoffee
Shockingly, still better than baltimore: https://foxbaltimore.com/news/city-in-crisis/baltimores-webs...
I think its cost over $5mm at this point, and the website doesn't exist. Oh, the company that built the site is owned by, I think the spouse of a council member, or something of that ilk.
Edit: 2.2mm, initial bid of 300k.
DonHopkins
To be fair, Kristi Noem shot the horse they rented, so there were a lot of expenses.
pseudohadamard
"Visit TrumpRx.gov"
kdheiwns
"He can't do that" means nothing when the law is never enforced.
iAMkenough
Hatch Act won't be enforced until the next administration and next DOJ.
ImJamal
Has the Hatch Act ever been enforced? Every administration in the last 20+ years have had people violate it but as far as I can tell nobody has been found guilty.
extraduder_ire
At least. I'm not hopeful.
nielsbot
[flagged]
throwawayqqq11
Thank god there are still republicans left.
But snark aside, the next elections will be decided around damage control. Yes, the old school dems are pretty spineless (corrupt) but i guess even they feel the temptation of revenge and taking out political opponents for good. I really hope the new generation of democrats succeeds and breaks the corruption ties.
nielsbot
Thank you for understanding. I'm pointing things like Obama "looking forward not backward" and not punishing Bush, Cheney, Ashcroft, Condi, etc for war crimes and illegal warmongering which leads directly to today's current illegal Iran invasion.
We will need actual punishments for everyone who illegally defunded (or funded) programs, got us into the Iran invasion, embezzled and lined their pockets with corruption etc etc etc.
AbstractH24
> Hatch Act won't be enforced until the next administration and next DOJ.
How did that last administration's dwelling on persecuting the one before it turn out?
While I don't like the current one and certainly agree that some of its actions are totally unethical, once it's over can we just move on and look forward, not back?
nebulous2026
The only possible way this country has a future is if crime is actually punished. If the members of this current administration who committed criminal acts do not actually suffer the consequences then what is to stop the next one?
Jedd
This sounds like something criminals would say / want.
AbstractH24
How do we move forward?
Jedd
"Justice must be seen to be done."
Without consequences for illegal behaviour, there's no incentive for bad actors to not continue acting bad. This, in no small part, explains why we are where we are today - a misplaced attempt to 'move forward' by ignoring illegal actions.
RankingMember
Without holding those who do wrong to account, positive movement will always be dogged or straight-up negated by those who do wrong without facing justice.
NewJazz
Prosecuting criminals.
ceejayoz
That'll only work here if there are reforms to the pardon power while we're at it. Any convictions a Democratic administration manages to obtain will be pardoned the next time a Republican gets in.
RankingMember
That Jan 6th participants were almost uniformly let off the hook is a stain that will continue to haunt us until pardon power is finally reigned in.
ceejayoz
> How did that last administration's dwelling on persecuting the one before it turn out?
They were way too slow about it.
I hope the next one is faster.
ImJamal
What do you mean by dodgy meds? These are just the normal meds you can get at any pharmacy. They also aren't even peddling them. They just link to pharmacies or provide discount codes.
thegreatpeter
what are the dodgy meds? it provides a discount at the pharmacy if you pay cash and skip insurance. are you from here?
gdeglin
OneSignal cofounder here. Posting since our service was mentioned in this article.
For those concerned or curious about location data collection, we wrote an explanation of how it works: https://onesignal.com/blog/youre-in-control-how-location-act...
robin_reala
We do not sell user data. Period.
You’ll sell it if you sell your company (as per your privacy policy).[1]
We may disclose or transfer your personal information in connection with, or during negotiations of, any acquisition of our business, financing or similar transaction.
If you wouldn’t sell it, period, then I’d suggest amending your privacy policy to include irrevocable deletion of customer data at the point your company is sold to a buyer.
SecretDreams
I would love to see a response to this comment from the OP.
giwook
Same. OP will likely ignore it though.
AbstractH24
Same
dbbk
Yes that's the normal way of doing things? Why would someone buy a business with no user base?
s3p
Great question, however the important point here is that the company makes the claim they will not sell user data. "Period." So the company implies that if they are sold they will be sold with no user data
dbbk
I think that's a silly read of what they're saying
augusto-moura
I believe the problem is not doing this, but the text in the policy is misleading, since users would believe their data would never be shared with anyone outside of the company itself _unconditionally_, which is not true (if only by technicality), the data can be sold as part of the company.
kibibu
Not just as part of the sale, but as part of the negotiation.
nclin_
Dead link
lumpo
The onesignal domain is on the IPFire Domain Blocklist
Found 1 list exactly matching 'onesignal.com':
- https://dbl.ipfire.org/lists/ads/domains.txt
block list
added: 2026-02-13 15:00:20
last modified: 2026-02-13 15:00:20
last updated: 2026-03-29 04:02:16 (126.625 domains)
enabled, used in 1 group
comment: "IPFire Advertising"
matching entries:
- onesignal.comAnonasty
Works for me.
nclin_
weird, still dead here (entire rest of the internet is fine) :shrug:
dtj1123
VPN
rerdavies
Bump this please. This should be the #1 comment.
exogeny
[flagged]
somehnguy
Interesting. The site is nearly unusable to me unfortunately. '19 MBP w/ Chrome - scrolling stutters really bad
tredre3
Scrolling is extremely poorly behaved on that page for me too, Firefox 149 Windows 10. Which is quite ironic coming from an article that mainly criticizes the web dev aspects of the app!
Aerolfos
Scrolling on my firefox is smooth... with javascript blocked.
imalerba
Scrolling is so laggy it's annoying to follow on mobile (FF 151.0a1)
catlikesshrimp
Not what you meant, but works fine on
Firefox 148.0.2 (Build #2016148295), 15542f265e9eb232f80e52c0966300225d0b1cb7 GV: 148.0.2-20260309125808 AS: 148.0.1 OS: Android 14
KomoD
Does it for me too, chrome on a thinkpad
beAbU
> chrome on a thinkpad
This is akin to saying "browser on a computer". Need to be more specific.
bigbugbag
no problem here using librewolf on arch linux on a 2012 thinkpad.
amarcheschi
I agree, the website of the original article is kinda terrible
orthogonalinfo
The OneSignal location tracking code being "compiled in" is expected behavior for anyone who has shipped Expo apps with OneSignal. The OneSignal React Native SDK bundles its full native module including location capabilities regardless of whether you use them. Expo config plugins like withStripPermissions operate at the AndroidManifest level - they can remove permission declarations, but they don't tree-shake native Java/Kotlin code from pre-compiled SDK .aar files.
This is actually the correct mitigation. Without ACCESS_FINE_LOCATION and ACCESS_COARSE_LOCATION in the manifest, the Android runtime will reject any location request at the OS level, even if the Java code calls FusedLocationProviderClient.requestLocationUpdates(). The three-gate analysis in the article is technically accurate but buries the lede: gate #2 (runtime permission) is impossible to pass because the permission isn't declared, making the entire pipeline dead code at the OS enforcement layer.
This is a broader issue with how React Native SDKs are packaged - they ship as monolithic native modules rather than fine-grained feature modules. OneSignal, Firebase, and most analytics SDKs all do this. The Expo ecosystem has been discussing native code tree-shaking for years but it's genuinely hard when you're wrapping pre-compiled Android libraries. The withStripPermissions approach is the standard workaround and is functionally equivalent to removing the code, since Android's permission model is the actual enforcement boundary.
r4indeer
The argument regarding no certificate pinning seems to miss that just because I might be on a network that MITM's TLS traffic doesn't mean my device trusts the random CA used by the proxy. I'd just get a TLS error, right?
subscribed
Not if someone can issue the certificate signed by the CA your phone trust.
Imagine being in a cafe nearby, say, embassy of the certain north African country known for pervasive and wide espionage actions, which decides to hijack traffic in this cafe.
Or imagine living in the country where almost all of the cabinet is literally (officially) being paid by the propaganda/lobbying body of such country.
Or living int he country where lawful surveillance can happen without the jury signoff, but at a while of any police officer.
Maybe its not common but frequent enough.
layer8
> Imagine being in a cafe nearby, say, embassy of the certain north African country known for pervasive and wide espionage actions, which decides to hijack traffic in this cafe.
How would they get your phone to trust their CA? Connecting to a Wi-Fi network doesn’t change which CAs a device trusts.
Galanwe
Because there is a quadrillion trusted CAs in every device you might use. A good chunk of these CAs have been compromised at one point or another, and rogue certificates are sold in the dark market. Also any goverment can coerce a domiciled CA to issue certs for their needs.
hvb2
That is a wild claim. I can't imagine that being correct given how that's been abused in the past
https://www.eff.org/deeplinks/2011/08/iranian-man-middle-att...
ceejayoz
It's a pretty huge list.
https://support.apple.com/en-us/126047
The chances of zero of these CAs having been compromised by state-level actors seems… slim.
Do you trust "Hongkong Post Root CA 3" not to fuck with things?
Your link's from 2011; the US government was still in the trusted list until 2018. https://www.idmanagement.gov/implement/announcements/04_appl...
nucleardog
All modern browsers require certificates to be published in the certificate transparency logs in order to be considered valid.
These are monitored, things do get noticed[0], and things like this can and have lead to CAs being distrusted.
It's not foolproof, and it's reactive rather than proactive... but in general, this is unlikely to be happening on major sites or at any significant scale.
I'd wholeheartedly recommend people taking some time and reading through the CA Compliance issues on Bugzilla. The entire CA program there, in my opinion, does a fantastic and largely thankless job of keeping this whole thing on the rails. It's one of the few things I can say I had _more_ trust in the more I looked into it.
ceejayoz
> It's not foolproof, and it's reactive rather than proactive…
This just means you keep your powder dry until it's needed.
cookiengineer
> That is a wild claim
China telecom regularly has BGP announcements that conflict with level3's ASNs.
Just as a hint in case you want to dig more into the topic, RIR data is publicly available, so you can verify yourself who the offenders are.
Also check out the Geedge leaked source code, which also implements TLS overrides and inspection on a country scale. A lot of countries are customers of Geedge's tech stack, especially in the Middle East.
Just sayin' it's more common than you're willing to acknowledge.
technion
If you go down this path you argue desktop browsing https is broken, which i dont think is a serious argument.
fc417fc802
Well yes, CAs and the ICANN model of DNS are intertwined and fundamentally broken in multiple ways. However the system as a whole is largely "good enough" as can be seen from its broad success under highly adversarial conditions in the real world.
rerdavies
That's not really how security works. Either it's broken, or it's not. Security is only as good as the weakest link in the chain. Whether it's good enough or not... hard to say.
fc417fc802
That sort of reasoning only applies to algorithms - those shatter the way glass does. Other stuff is more pliable. It's entirely possible to shoplift but there's a nonzero chance you'll get caught. Is the supermarket's security broken? There are many known attacks against it so I'd say that it is.
Notice my wording above - fundamentally broken in multiple ways - by which I mean that there are clear and articulable flaws with the model. Nonetheless it's clearly quite functional in practice.
quesera
No one is trying to go that far down the path.
https (specifically the CA chain of trust) is imperfect, and can be compromised by well-placed parties.
Gigachad
This is stopped by certificate transparency logs. Your software should refuse to accept a certificate which hasn’t been logged in the transparency logs, and if a rogue CA issues a fraudulent certificate, it will be detected.
malmeloo
Certificate transparency doesn't prevent misissuance, it only makes detection easier after the fact. Someone still needs to be monitoring CT and revoke the cert. I actually believe most HTTP stacks on Android don't even check cert revocations by default.
Gigachad
I'm not too sure what the detection process is like, but being found to sign fraudulent certificates results in your CA being untrusted and is the end of your business. So it's not going to be done lightly even if there isn't automated systems to catch it instantly (which there likely are at least for major websites)
malmeloo
The detection process basically boils down to 'server admins need to check CT themselves'. A CA also doesn't have to be malicious; a non-CA malicious actor could also exploit a vulnerability in the verification process of an honest CA. Depending on the severity of the situation that's unlikely to get them removed from the root stores.
Interesting example: last year Cloudflare found out that a CA had been (incorrectly) issuing certs for 1.1.1.1. They only found out 1.5 years after the first cert had been issued. The CA didn't do it with malicious intent, and as far as I know they're still in business. https://blog.cloudflare.com/unauthorized-issuance-of-certifi...
fc417fc802
I don't believe it's supposed to proactively check the logs as that would inevitably break in the presence of properly configured MITM middleboxes which are present on many (most?) corporate networks.
The point of the logs as I understand it is to surface events involving official CAs after the fact.
l2dy
Clients are supposed to check. For example, Apple requires a varying number of SCTs in order for Safari to trust server certificates. https://support.apple.com/en-us/103214
And yes, it does break MITM use cases, for example on Chrome: https://httptoolkit.com/blog/chrome-android-certificate-tran...
fc417fc802
So how does that work with middleboxes? Corporate isn't about to forgo egress security (nor should they).
I don't currently MITM my LAN but my general attitude is that if something won't accept my own root certificate from the store then it's broken, disrespecting my rights, and I want nothing to do with it. Trust decisions are up to me, not some third party.
Gigachad
Corporate managed machines can control the software running on the computer to do anything. I'm not sure the details, but chrome certainly can support corporate MITM. There's likely some setting you have to configure first.
The default should be to reject certificates which aren't being logged, and if you as a user or corporation have a reason to use private certificates, you just configure your computer to do that. Which fully protects against the risk of normal CAs signing fraudulent certificates.
Melatonic
Corporate machines would have the proper certs pushed to them for the MITM box to work though - would that affect this ?
fc417fc802
The entire point of transparency logs is to detect a cert issued by a different root CA despite both being trusted. The corporate MITM cert won't be present in the logs by design.
kevin_thibedeau
Israel is not in Africa.
thegagne
Not if you are part of an org that uses MDM and pushes their own CA to devices.
r4indeer
Ok, fair point. However, I would consider any MDM-enabled device fully "compromised" in the sense that the org can see and modify everything I do on it.
p2detar
An MDM orga cannot install a trusted CA on non-supervised (company owned) devices. By default on BYOD these are untrusted and require manual trust. It also cannot see everything on your device - certainly not your email, notes or files, or app data.
somebudyelse
As someone who has an MDM-managed device, I beg to differ. Although, this one uses newer style android MDM, which involves factory resetting and doing special things during OOBE. Even if it used the older style, nothing's stopping the app for requesting file access, notification access, etc. and not working until you grant the permissions.
Melatonic
Android has multiple options for MDM - the mess invasive one has a completely separate work profile that should not give the org that kind of access.
p2detar
Nothing is stopping any app from the Play store to request any particular permission, not just MDM apps, right? And yet, no app can read arbitrary filesystem data including random app data without your device being rooted first.
If anything, one of many MDM purposes is to prevent orgas from enrolling rooted devices in their fleet.
layer8
If it is untrusted, you also won’t have a TLS connection be established based on that CA.
greenchair
that argument also misses because it is based on old best practices which are no longer relevant.
kevincox
Certificate pinning can be useful, especially in particularly sensitive areas. But I wouldn't expect it as a standard security practice. If anything I appreciate that it isn't done so that reverse engineers can thoroughly study the traffic on their own devices. I agree that it was odd that the article mentioned it more than a quick note, let along made a big deal out of it.
iancarroll
A bit skeptical of how this article is written as it seems to be mostly written by AI. Out of curiosity, I downloaded the app and it doesn't request location permissions anywhere, despite the claims in the article.
I've noticed Claude Code is happy to decompile APKs for you but isn't very good at doing reachability analysis or figuring out complex control flows. It will treat completely dead code as important as a commonly invoked function.
Groxx
The permissions snippet they show also doesn't include location, and you can't request location at runtime at all without declaring it there.
I'd verify all this stuff for myself, but Play won't install it in my phone so I can't really get the APK. Maybe because I use Graphene...? but I don't know all the ways they can restrict it, maybe it's something else (though for a pixel 9a it's rather strange if it's hardware based).
--- EDIT ---
To be specific / add what I can check, this is what my Play Store "about -> permissions" is showing:
Version 47.0.1 may request access to
Other:
run at startup
Google Play license check
view network connections
prevent phone from sleeping
show notifications
com.google.android.c2dm.permission.RECEIVE
control vibration
have full network access
crumpled
If you use Aurora Store instead of the Play store, you can download APKs. They are a Google Play store proxy.
hiccuphippo
Is there a way to conver that xapk format to apk other than installing their app?
bigbugbag
yes, unzip it.
2Gkashmiri
I have many apps that refuse to work. They try to open play store app which does not have logged in account.
The app doesn't work
crumpled
The aurora store will identify whether apps require google play services before you try to install them.
fjdjshsh
>as it seems to be mostly written by AI.
Is there something in particular that made you conclude that or are you going just with how it felt?
For what it's worth, it didn't seem to me.
Mathnerd314
There's a specific writing style for globalized English that AI's use. And then this post also had none of the stylistic flourishes that a real author might add. And then simple things like constructing a table of 68 libraries or whatever organized by relatively subjective categories. That is something that nobody is going to do by hand.
ghywertelling
There is a new term "load-bearing" which is used a lot in my usage of AI. Has anyone else encountered this term being used a lot in their conversations? Or is it a quirk of personalization?
matwood
I use load-bearing all the time in conversation. People need to be careful that just because they don’t use certain phrases, it doesn’t automatically mean AI.
tstenner
I use it all the time, but almost always sarcastically (as in "load-bearing tinyproxy instance").
codefreakxff
just what an AI bot would say! ;)
pdntspa
Both you and parent are making a lot of load-bearing assumptions.
As someone who likes to use a lot of em dashes in writing -- the 'heuristics' that AI 'hunters' like to use need a lot of further refinement before I would trust them with anything. And yet there are legions of anti-AI crusaders out there wielding them like weapons.
These folks are reinforcing a bias against all kinds of people, particularly those who are not native English speakers and were very likely taught 'globalized' English in their language training.
trueno
been getting a lot of "load-bearing" and "roll your own" lately.
us humans, even if kinda trash at many things, are pretty rad at pattern recognition.
dist-epoch
There are also fashions. So people could be using "load-bearing" more because it's fashionable. Like "lets double-click on that", or "spinning rust", etc
rocqua
I've heard it a lot from podcasts that are towards the abundance movement. I think its common within the rationalise movement.
Personally I really like it for "load-bearing assumptions". Because it let's you work with assumptions whilst pointing out the potential issues of that assumption.
Izkata
Perhaps the apparent hallucination they mentioned in their comment?
VerifiedReports
You mean fabrication?
windexh8er
Apparently just like OP, you didn't read the article either. Just because the app doesn't ask for permission in the manifest doesn't mean it can't be acquired at runtime. It's very publicly documented [0].
So, no. Not a "hallucination".
[0] https://documentation.onesignal.com/docs/en/location-opt-in-...
no-name-here
How certain are you of that?
That appears to be about providing a message to the user before requesting permissions.
However, it appears even permissions you allow your app to request still need to be declared beforehand? https://developer.android.com/training/permissions/requestin...
Regardless, people are reporting mixed info on whether the app declares location access: https://news.ycombinator.com/item?id=47557010
windexh8er
I checked all versions. Maybe, just maybe, the app was changed in response? Hmmm, I wonder...
rerdavies
This is incorrect. On Android, you must do BOTH to actually get location APIs to work.
windexh8er
Well, I will argue that you are incorrect and do one better and ask why a Huawei SDK [0] is embedded in the app beyond the location tracking?
[0] https://www.sambent.com/the-white-house-app-has-huawei-spywa...
goodmythical
[flagged]
trueno
> Haven't you heard? It's cool to dislike things "because AI".
There's no explicit rules against it, but I cannot stand this type of sarcastic im anti-everyone-else commentary. Super reddit-coded, and you could have made your point without it. There's a lot of discussion to have about that point actually, but I'm pretty sure we've all been collectively scrolling long enough to just kind of roll our eyes at this stuff.
I read through it. I get some AI vibes. Probably a little bit of both.
VerifiedReports
Look out: It's forbidden to compare HN to Reddit!
trueno
frick
VerifiedReports
I love how some clowns downvoted a fact.
lkjdsklf
What? They listed a very specific complaint about the content.
direwolf20
It's cool to dislike "disliking things "because AI""
frizlab
> it doesn't request location permissions anywhere, despite the claims in the article
The article does not claim the app requests the location. It claims it can do it with a single JS call.
esprehn
It can request with a JS call. It can't passively collect it without you approving first. The article is written like calling that JS function will turn on location tracking without consent.
mattdeboard
He explicitly says he can't determine it, but that the location tracking as configured will turn on once the user grants consent. All true statements.
How would you have written it differently
logifail
"If the user chooses to opt-in and grants location-tracking permission, the app is then, and only then, able to track the user's location?"
mattdeboard
You would be lying if you wrote that because you do not know if that is true.
ceejayoz
But that's not true; it could easily fallback to other forms of geolocation like using the current IP.
rerdavies
That would allow you to see the local network IP (not actually sure you even get that, tbh). To get more detailed information about IP configuration, you need Location permission. Been there, done that. Most Android network information calls provide degraded information if you have not been granted Location permissions.
quesera
If an app can make an HTTP request, the app can know the user's public IP address and the geolocation derived from that.
This data has well-known limitations, but I think it is the fallback people are talking about here.
buzzerbetrayed
Good lord. So could literally any app on the planet
dmitrygr
> The article does not claim the app requests the location. It claims it can do it with a single JS call.
so can ... any other code anywhere on a mobile device? That is how API work...
david_allison
You need to state the permissions you *may* request/use in AndroidManifest.xml. This data can then be displayed to users pre-installation.
From the (limited) article, it doesn't seem they do this: https://thereallo.dev/blog/decompiling-the-white-house-app#p...
----
EDIT: I'm mistaken. From the Play Store[0] it has access to
* approximate location (network-based)
* precise location (GPS and network-based)
[0] https://play.google.com/store/apps/details?id=gov.whitehouse...
This seems to disagree with:
> The location permissions aren't declared in the AndroidManifest but requested at runtime
*shrug*, someone should dig deeper. It looks like the article may not match reality.
Groxx
What version do you see? 47.0.1 doesn't have that for me: https://news.ycombinator.com/item?id=47557033
david_allison
Very unusual: 47.0.1 is showing these permissions when on my MacBook viewing the store entry.
The Play Store doesn't show these permissions when viewed on my Pixel 9 Pro, and the APK doesn't have these permissions when downloaded/extracted.
dijksterhuis
what version are you on?
from the iphone app store: version 47.0.1 - minor bug fixes - 34 minutes ago
while the parent posted 18 minutes ago
they may have patched the location stuff as part of the “minor bug fixes”?
croes
Isn’t it useless to talk about the iOS version if the article is about the Android app?
filoleg
I have the iOS version from yesterday, haven't updated the app yet.
No location permission request prompting encountered. In system settings, where each app requesting location data is listed, it isn't present either.
SV_BubbleTime
Ah. So another way to say it doesn’t get your location every 4 seconds.
jibal
[flagged]
liveoneggs
how do you know it didn't lie during the decompilation?
BoorishBears
It doesn't have to lie: unfortunately libraries that are essentially a full application themselves (complete with their own permissions) are not uncommon on mobile.
So it could come across a manifest that includes location permissions and some code that would (if enabled) send location, but it might do a bad job properly tracing
ddtaylor
I think you should make proper counter arguments instead of dismissing something because they used a specific tool.
Ad-HomineLLM is a logical fallacy IMO and adds little value. I would hope eventually HN and other sites add this to the guidelines similar to other claims like vote manipulation etc.
treykeown
Sorry, making up a word to try and frame distrust of LLM-generated content as a “logical fallacy” is a bad take.
HN doesn’t have guidelines against anti-LLM rhetoric, but it does for LLM-generated comments.
> Don't post generated comments or AI-edited comments. HN is for conversation between humans.
nazgul17
GP was arguing against the OP, not a comment, and AI written posts are fair game.
Also, the comment you responded to was criticizing the attack to the substance of the post based on who/what wrote is. The comment neologism actually fits, IMO.
reactordev
Violating the law is what the White House is all about these days.
julianlam
This site makes my browser choke.
Reader mode was the only thing that made it readable.
ray_v
I was looking for this comment - it makes my browser choke as well! I thought it was just my tablet, but interesting that others see that too.
sitzkrieg
i assumed it was malware out the gate. yep
nine_k
> An official United States government app is injecting CSS and JavaScript into third-party websites to strip away their cookie consent dialogs, GDPR banners, login gates, and paywalls.
So at least it does something actually beneficial for the user! I wish it could go even further, the way Reader Mode in a browser would go.
lukewarm707
i downloaded the app but it doesn't let you use the browser. i thought it was the white house doing something helpful for once and giving us some internet freedom. alas.
1e1a
This website is quite GPU intensive when scrolling.
wnevets
> That's a personal GitHub Pages site. If the lonelycpp GitHub account gets compromised, whoever controls it can serve arbitrary HTML and JavaScript to every user of this app, executing inside the WebView context.
I was promised a meritocracy and non stop winning. When do those begin?
vineyardmike
> The official White House Android app has a cookie/paywall bypass injector, tracks your GPS every 4.5 minutes (9.5m when in background), and loads JavaScript from some guy's GitHub Pages (“lonelycpp” is acct, loads iframe viewer page).
Doesn’t seem too crazy for a generic react native app but of course coming from the official US government, it’s pretty wide open to supply chain attacks. Oh and no one should be continually giving the government their location. Pretty crazy that the official government is injecting JavaScript into web views to override the cookie banners and consent forms - it is often part of providing legal consent to the website TOS. But legal consent is not their strong suit I guess.
trimethylpurine
Aren't the banners for EU page visitors. I don't think there is a US law about this, is there?
bsimpson
Some states have them. California has a similar one "Don't Sell My Personal Information."
trimethylpurine
I think the Supremacy Clause protects federal agencies but not sure. Also Privileges and Immunities, and Commerce clauses...
xocnad
And when the app links off to an EU site? Nothing prevents an EU user from using this app. There are a variety of Trump enthusiasts, though I suspect less than there are here in the US.
trimethylpurine
I think they just fine the entity doing business in the EU. If they don't do business there, I can't see any issues.
I'm not an attorney, but I don't find any cases that extend beyond that.
wincy
Quite honestly, it’d be hilarious to see the clown car response from the White House if some EU bureaucrats tried to enforce their GDPR rules on the White House though. “Lol Make us” is the nicest response I can guess at.
az09mugen
Please don't give them ideas.
subscribed
They conduct a pervasive, hidden, persistent user tracking not only without consent, looking at the analysis, but also stripping the user from a chance of declining tracking on other sites.
I'm quite sure that's illegal.
trimethylpurine
Which federal law would be relevant here? I'm only aware of California and EU laws that might be. But, I'm fairly certain they don't apply to the US government because of several Constitutional and international laws superseding.
I'm not sure. If there is an attorney to answer that would be interesting.
AnonyMD
If this is true, it would be a symbolic event marking the disappearance of freedom, a source of pride for the United States.
herbst
This. Definitely not the moment you voted the same bullshit AGAIN expecting anything else than the end of the US as we all know it.
oefrha
> An official United States government app is injecting CSS and JavaScript into third-party websites to strip away their cookie consent dialogs, GDPR banners, login gates, and paywalls.
Giving people a taste of web with Ublock Origin annoyance filters applied, refreshing. Can’t believe orange man regime is doing one thing right.
jcmartinezdev
Even though those pop ups and paywalls are annoying, you shouldn’t be injecting custom CSS and JS like that. It’s just wrong.
And the location… well, if one day they need you, they’ll sure be glad they know your each steps and current location .
It’s not a bug, it’s a feature.
ChicagoDave
I prefer my state-sponsored propaganda raw without tracking me.
Factomega
Jan 2026 Iran protests. Estimates of fatalities by the Islamic fascist regime:
* "More than 36,500 Iranians were killed by security forces during the January 8-9 crackdown." (Iran International, 1.25.26 [archive.is/OLySC]) * "Pahlavi insists the reports he is receiving suggest as many as 50,000 have been killed." (Sunday Times, 1.23.26 [archive.is/H9ua0]) * Aus. Sen. Raff Ciccone: "Tens of thousands of Iranians have been brutally murdered—reportedly, over 80,000. Many thousands more have been arrested, beaten or simply disappeared." (Hansard - Senate, 2.3.26 [archive.is/z3wFt]) * 'Ayatollah Killed 50,000 Of His Own Citizens' (Rear Admiral Mike Hewitt. TalkTV, 3.2.26 [archive.is/OaJIR]) * "Doctor accounts from Iran peg the number to be around 50,000." (WION, 3.20.26 [archive.is/IQIkR]) * "Dr. conservatively estimates 60,000 killed, 360,000 injured and at least 1 million directly affected." (Journalist Shirin Sadeghi @ShirinSadeghi 1.22.26 [archive.is/6V0gp]) * "the mass killings that claimed the lives of over 60,000 Iranians." (Agenzia Nova, 2.21.26 [archive.is/OZX4u]) * "More than 60,000 deaths in barely two days—60,000 lives wiped out—more than 300,000 people imprisoned, and over 250 executions to date". (Belgian politician, Darya Safai, Belgian Senate, 1.29.26 [tinyurl.com/lachambre29Jan26]). * "UN receives reports of 80,000 deaths in Iran." (Revista Oeste, 1.22.26 [archive.is/nlb7N]). "Some people estimate it to 80,000." (Natasha Devon. LBC. 1.25.26 [archive.is/m29qi]) * "Tens of thousands of Iranians have been brutally murdered—reportedly, over 80,000." (Aust. Sen. Raff Ciccone 2.3.26 [archive.is/z3wFt]) * "Up to 80,000 men women and children were murdered in cold blood." (The Australian, 3.16.26 [archive.ph/Il1wK])
__
(Islamic Republic: bosses of genocidal 'Palestine' regime Hamas who use its civilian population, causing their deaths in a cruel calculation).
post-it
> An official United States government app is injecting CSS and JavaScript into third-party websites to strip away their cookie consent dialogs, GDPR banners, login gates, and paywalls.
Rare Trump administration W. I'm assuming there's one particular website they open in the app that shows a cookie popup, and this was a dev's heavy-handed way of making that go away.
drnick1
> An official United States government app is injecting CSS and JavaScript into third-party websites to strip away their cookie consent dialogs, GDPR banners, login gates, and paywalls.
I wouldn't run a non-free government app on my phone, but this seems a positive. It's basically what uBlock does.
lukewarm707
there is no browser in the app.
mikey_p
Except the app isn't a browser, doesn't advertise this feature and hides it from it's users.
Arainach
"An official United States government app is injecting CSS and JavaScript into third-party websites to strip away their cookie consent dialogs, GDPR banners, login gates, and paywalls."
In their defense, this is the first thing the Trump admin has done that's unambiguously positive for ordinary people.
ronsor
Yes, this is a major UX improvement considering I remove those with uBlock Origin anyway.
gitaarik
Yeah it's great, we can actually let go of these silly open source projects like uBlock Origin, and just rely on the government for protecting us against the dangerous web!
subscribed
Indeed.
I'd love it somehow taken out of it and made available for the general public. Custom uBlock / Adblock filers will be probably the easiest.
flexagoon
uBlock's built in filters handle it just fine, since it's very basic blocking based on html classes of the elements
shimman
I too love it when US imperialism invades digital spaces, just ignore how the US treats people critical of its own government (not just referring to the Trump admin here) then yeah sure great.
Let me know when this can ignore malware/adware from US companies then I'll give accolades.
somebudyelse
The only permissions on the play store are notifications. On data privacy, it only shows optional email or phone number. Respectfully, I call BS.
ssyhape
[flagged]
Shank
Also with something as high profile as this, it could also be a politically motivated actor just sabotaging it out of spite.
kaluga
[dead]
pugchat
[dead]
iam_circuit
[dead]
alcor-z
[dead]
nguyendinhdoan
[dead]
crimshawz
[flagged]
enigmaTest
[flagged]
OrangeMusic
"yappy yappy"? What?
razkaplan
[flagged]
verteu
> Don't post generated comments or AI-edited comments. HN is for conversation between humans.
analog31
[flagged]
tomhow
Be kind. Don't be snarky. Converse curiously; don't cross-examine. Edit out swipes.
Please don't fulminate. Please don't sneer, including at the rest of the community.
Eschew flamebait. Avoid generic tangents. Omit internet tropes.
Please don't post shallow dismissals, especially of other people's work. A good critical comment teaches us something.
Please don't use Hacker News for political or ideological battle. It tramples curiosity.
Please don't pick the most provocative thing in an article or post to complain about in the thread. Find something interesting to respond to instead.
wincy
Every default setup on every website and app for the last five or so years has been encouraging users to add pronouns, making it difficult to avoid it, even my iPhone asks me to add each person’s pronouns when I add a new contact. I don’t know why Siri needs to know that, but it’s there. There’s one website I use that won’t let you sign up as a contributor without “completing your profile”, which includes mandatory pronouns.
I guess there’s some workplaces where it’d be useful for me to update these, probably the ones Apple PMs work in.
4ndrewl
It's often useful for me so that I can know how to address you/refer to you, especially if it's a foreign (to me) name I'm unfamiliar with.
analog31
Well, it's past the edit window, and of course I accept the downvotes, but I realize that I should have provided a bit more context.
In the US, the faction in power right now is attacking perceived symbols of "woke" ideology, and one of them is the use of pronouns.
As I understand it, some government agencies are even forbidding the use of pronouns in e-mail signatures etc. So it struck me as ironic that a software component with pronouns would have evaded their notice.
I have no problem with the use of pronouns.
array_key_first
I would imagine it would be useful in 100% of English-speaking workplaces because all workplaces have the expectation of English communication, which pronouns are essential for. If I'm writing an email or a chat message, I will typically have to use a pronoun.
Inferring pronouns has always been dumb and annoying. Many names don't have obvious pronouns, for example, the name "Taylor". Is that he or she? And clicking the little profile icon and squinting to see if someone is a man or a woman is also a waste of time. It's a lot easier for everyone if it just tells you the pronoun.
vdqtp3
> If I'm writing an email or a chat message, I will typically have to use a pronoun.
It's not that hard to just avoid it. I send emails to a lot of people I haven't spoken to and don't know their gender, so I write gender-neutral emails.
array_key_first
Sure, but why would I go out of my way to use gender neutral pronouns like "they" when they can just tell me their preferred pronouns?
defrost
It's only "out of your way" if you never learned to write gender neutral from the ground up.
In the 1970s and 1980s it was the default in many Commonwealth locales to not assume that (say) Rob Owens writing mathematics and engineering papers was male (as it turns out, she isn't, the Rob is short for Robyn).
So much correspondence was with people who had Initial Surname or abstract handles that didn't broadcast gender.
array_key_first
But if someone has the ability to broadcast their preferred pronouns and we built that in, and it costs nothing, then what's the problem?
I guess I'm just not really understanding people getting upset at what I perceive to be completely made up problems. We have technology, we no longer have to assume gender neutral pronouns for everyone. They can just tell us the pronouns they want.
defrost
I cannot see the need for anything other than neutral pronouns when discussing permutations with either G.Egan or C.Praeger.
array_key_first
I cannot see the harm in using a different pronoun or opening up the ability for that - it feels like a fake or imaginary problem that we are creating such that we have something to complain about to make ourselves feel better. If we want to feel better, we should just smoke or something.
vdqtp3
How are you going to know the appropriate pronoun on your first email to "jsmith@company.com" or "ppatel@company.com"? Are you going to send an email to ask their pronouns before you send the actual email?
array_key_first
No, I'll probably just use gender neutral pronouns.
But if they reply back and their email footer has "he/him", I'm probably just gonna use he/him and not think twice about it, because I'm a well-adjusted adult.
kelnos
I wonder if that person might find it amusing to take down the file the app uses
anotherevan
My admittedly more puerile thought upon reading that bit was to change to code so it only loads goatse.
longislandguido
[flagged]
rpdillon
Nah, I suspect any app that's loading arbitrary JS from somebody's random GitHub page would get called out for that behavior. We're getting supply chain attacks daily.
mattdeboard
Are you upset people are being critical of a shabbily run government program?
longislandguido
[flagged]
paulhebert
Is this not a government program? Did someone in the cabinet choose to do this?
I’d prefer they not release shoddily build propaganda apps
mattdeboard
Uh, yeah, dude, when Whitehouse.gov announces its new app, the app is a government program. Hope this helps but something tells me it won't.
tclancy
That is some impressive willful ignorance. “If it was anybody else threatening to beat this guy up for what he was saying, you’d probably praise them. But a cop does it one time and …”
hvb2
This was probably payed for, with tax payer money, coming from an official government entity.
If any of those 3 is true, the bar should be higher than what someone just did in their free time? I would surely expect more.
periodjet
[flagged]
mmastrac
You omitted these items immediately above that line:
Injects JavaScript into every website you open through its in-app browser to hide cookie consent dialogs, GDPR banners, login walls, signup walls, upsell prompts, and paywalls.
Has a full GPS tracking pipeline compiled in that polls every 4.5 minutes in the foreground and 9.5 minutes in the background, syncing lat/lng/accuracy/timestamp to OneSignal's servers.
Loads JavaScript from a random person's GitHub Pages site (lonelycpp.github.io) for YouTube embeds. If that account is compromised, arbitrary code runs in the app's WebView.
Loads third-party JavaScript from Elfsight (elfsightcdn.com/platform.js) for social media widgets, with no sandboxing.
Sends email addresses to Mailchimp, images are served from Uploadcare, and a Truth Social embed is hardcoded with static CDN URLs. None of this is government infrastructure.
Has no certificate pinning. Standard Android trust management.
Ships with dev artifacts in production. A localhost URL, a developer IP (10.4.4.109), the Expo dev client, and an exported Compose PreviewActivity.
Profiles users extensively through OneSignal - tags, SMS numbers, cross-device aliases, outcome tracking, notification interaction logging, in-app message click tracking, and full user state observation.
periodjet
[flagged]
mmastrac
> It’s hard to imagine a smug article like this dissecting a product of some other administration
Did the other administration put a "fake news" and "report to ICE" and grifting link to their own social network in their apps? I feel like you are perhaps papering over a whole lot of general shittiness of this app that didn't exist in less amateur previous administrations that at least tried to follow the norms.
fortran77
[flagged]
ceejayoz
You can report anything.
The only case they cite of an actual intervention resulting seems... entirely legit?
> An adult entertainment club lost its liquor license after a dancer and others were seen not wearing masks, the state said.
People call 911 for goofy things, too.
braebo
Did they break down your door or shoot your SO in the head for not wearing a mask?
phist_mcgee
Isn't that state based?
Also I'd say the federal government's approach to ICE deportations is a little stronger than even the COVID measures.
felipellrocha
You think this administration is trustworthy?
Ylpertnodi
Yes, but considerably less than the iranian administration. Actually, no.
rootusrootus
> Since when is the government a slick and efficiently run outfit that produces secure and well-done software products? Does no one remember the original Obamacare launch?
Wasn't that written by a private company? Canadian, IIRC.
array_key_first
> It’s hard to imagine a smug article like this dissecting a product of some other administration.
Yes, that's because this administration is uniquely awful. Basically every single thing this administration does is bad. Often so bad that it's legitimately impressive just how incompetent our leaders our.
Obviously previous administrations were not perfect, but to sit here and pretend that they are on the same level is delusion.
dinkumthinkum
[flagged]
jibal
> It’s hard to imagine a[n informative] article like this dissecting a product of some other administration.
A baseless ideological claim.
replwoacause
lol honestly all of this tracks given the current administration. i'm actually surprised it isn't worse. but yeah, amateur hour for sure.
jfengel
"Amateur hour" is basically their theme. They were swept in on a wave of distrust for people who know what they're talking about. They were elected to tear down Chesterton's fence, even (and especially) the parts holding in the face-eating leopards.
To mix the metaphors further, they (the politicians and their supporters) fancy themselves the kind to dream of things that never were and ask why not. Why not have a war in Iran? You won't know until you give it a try.
trimethylpurine
I don't see what the fuss is about. This all looks pretty standard. I use random people's stuff all the time. Isn't that the point of open source?
Did you find something malicious in the random GitHub repo? If so, you should write an article about that instead.
kevinsync
Using somebody's stuff is different than hot-linking directly to a hosted version of it, even just from the perspective that dude could delete it at any time and break the whole app.
trimethylpurine
That's fair. I download and embed, personally. Still, it's not a rant worthy mistake, honestly. Suggest a better approach, sure.
array_key_first
It's definitely a rant worthy mistake because this would literally never happen in any professional app anywhere. This is a supply chain risk.
trimethylpurine
Microsoft? Okta? JetBrains? If these are amateurs, who is a professional developer?
https://www.encryptionconsulting.com/top-10-supply-chain-att...
Are you aware that common libraries like Bootstrap, FontAwesome, and HTMX walk developers through linking to their CDNs directly? In fact, FontAwesome recommends it for CDN performance.
I think you're dangerously mistaken if you believe that it "literally never" happens. It literally does happen all the damned time. And, for your own safety and others', you should assume that when you use any app for which you don't have the source code.
array_key_first
Linking to a CDN is for development only. Once the app is build you build your dependencies into the app. You don't fetch them at runtime and run them. Not only for security, but also for performance.
There's also a difference between using a CDN for, say, React and a random github project hosted by some dude.
trimethylpurine
Yeah I agree. Tell Microsoft. But, meanwhile this is normally used wrong in a lot of apps. It's not newsworthy that this one is also.
rendx
I don't know if you're being serious or not, but in case you are: There is a difference between (re)using other people's open sourced code, hopefully reviewed, and giving anyone in control of the third party repository the ability to run arbitrary code on your user's devices. Even if the "random GitHub repo" doesn't contain any malicious code right now, it may well contain some tomorrow.
torstenvl
Completely agree. This is really unique. Can you imagine if it were standard practice to be open to supply chain attacks like that, by blindly relying on hotlinked or unpinned dependencies?
trimethylpurine
Why imagine? Let's take a quick look at what's actually happening right now. We can check some widely used libraries and see what their instructions are teaching new developers.
Boostrap (code snippet from their quick start instructions): ``` <head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <title>Bootstrap demo</title> <link href="https://cdn.jsdelivr.net/npm/bootstrap@5.3.8/dist/css/bootst..." rel="stylesheet" integrity="sha384-sRIl4kxILFvY47J16cr9ZwB07vP4J8+LH7qKQnuqkuIAvNWLzeN8tE5YBujZqJLB" crossorigin="anonymous"> </head>
<script src="https://cdn.jsdelivr.net/npm/@popperjs/core@2.11.8/dist/umd/..." integrity="sha384-I7E8VVD/ismYTF4hNIPjVp/Zjvgyol6VFvRkX/vR+Vc4jQkC+hVqc2pM8ODewa9r" crossorigin="anonymous"></script> <script src="https://cdn.jsdelivr.net/npm/bootstrap@5.3.8/dist/js/bootstr..." integrity="sha... ```
Pay close attention, they are inviting the new developer to link not just to Bootstrap, but to Popper!
HTMX (code snippet from their quick start guide): ``` <script src="https://cdn.jsdelivr.net/npm/htmx.org@2.0.8/dist/htmx.min.js"></script> <!-- have a button POST a click via AJAX --> <button hx-post="/clicked" hx-swap="outerHTML"> Click Me </button> ```
Fontawesome: A video quick start guide and instructions that recommends using the direct link to the kits via CDN for performance!
Look, I certainly don't think they should be used this way. But, to say that it's unique to the White House app? I definitely wouldn't say that. In fact, I think you've dangerously overestimated the status quo.
habinero
They have not. CDNs are specifically meant for demo/non-critical usage, to make it easy for amateurs to try out the library.
You don't do this in any non-trivial system.
trimethylpurine
According to FontAwesome you're wrong. Their instructions say that their CDN is the recommended way to use their kits.
So, it's nice that you don't do this. But there's nothing special about the White House app doing it. It's very common.
torstenvl
I was being sarcastic. Although hot linking is not particularly common, it's common enough; and unpinned dependencies are just as much if not more of a supply chain attack risk.
I'd bet something like 70+% of all JS apps are inadequately protected against the risk of a malicious actor gaining access to a dependency's repo.
Pearlclutching over this while ignoring the lessons of `left-pad` and `colors` is biased motivated reasoning at best.
trimethylpurine
Awesome. Now that I know you were being sarcastic it's hilarious. It's amazing how difficult it is to tell from text.
magackame
Huh? But there are integrity checks (none in htmx case, which is strange), to prevent exactly this attack.
trimethylpurine
I'm not sure I follow. How does an integrity check help when the source is compromised? The developer doesn't know that their repo is compromised. They continue posting legitimate hashes because the repo is legitimately compromised.
lukewarm707
even open source is not that trustworthy.
there are several corpo open source ai apps that have rce built in.
to cut a long story short they pull their config from the developer's server on startup. that config has user level permissions giving rce.
some have no rce but get remote executed exfiltration of all the prompts. the app pulls its posthog config on startup and can just take all the keyboard inputs.
submit a disclosure and they do nothing or accuse of 'ai slop reports' despite being vibe coded themselves
input_sh
It's always a better idea to make a local copy of it.
Imagine they're downloading a project directly from your GitHub account. Even if you're not doing anything malicious and have no intention of doing anything malicious even after you've been aware of this, now all of a sudden your GitHub account / email is a huge target for anyone that wants to do something malicious.
xocnad
All good for you to make those choices for yourself. Your response seems to be show ignorance of all the recent supply chain attacks that have occurred. You can imagine that given the situation with the shoe gifts that many high up members of the administration and cabinet members are running this app.
trimethylpurine
I'm critical of the author.
I'm well aware of supply chain attacks. But this isn't a supply chain attack. If it were, the article would be way more interesting.
The supply chain attack articles are interesting exactly because this is so common. So what's special here other than it being loosely related to a disliked political figure? HN isn't supposed to be an especially political website.
"A common app is doing the same thing that basically every other app is doing."
Is that a good headline? No. And this isn't a good article.
xocnad
> I'm well aware of supply chain attacks. But this isn't a supply chain attack. If it were, the article would be way more interesting.
It's an article that includes coverage of the exposure to supply chain attacks, mainly via directly linking in https://lonelycpp.github.io/react-native-youtube-iframe/ifra.... You seem to be flippantly dismissing this as insignificant given the people who are probably running this app.
> HN isn't supposed to be an especially political website.
Yes but when technology and politics cross paths...
trimethylpurine
There's nothing you could exploit here. There's nothing special about this app. This article is about nothing. Not politics and not technology.
If you enjoy reading about how a guy smelled another guy's underpants and discovered that they smell like everyone else's, then rest assured, you can continue reading it over and over again if you like. I'm not able to down vote, so your enjoyment is safe from my opinion.
If he finds something interesting in there (I hope he does), and writes another article I might miss it, unfortunately, because I've written him off as a trash piece author.
EDIT: I went to use this as an example. Hilarious, this blog now has a bad SSL cert, just to put the icing on the cake.
gitaarik
For an Android game downloaded from the Play store I wouldn't find these findings surprising at all. But from an official app from the White House? Well ok, from THIS White House - you're completely right to expect that.
trimethylpurine
Lol, this is a really funny take. I'm imagining Joe Biden or George Bush asking, "did you check it for supply chain vulnerabilities?"
The DoD has been hacked countless times, by children even. I wouldn't doubt if we decompiled most government apps we'd find this same vector in many of them.
It seems like this vector is only recently a hot topic. And decades of doing things wrong won't be patched and habits broken in short time. It will take a few years to get the majority of it, and decades after that to get the next majority, and so on.
gitaarik
I agree that governments in general are very bad at this. But I also think that this admistration is even more special in it's own way.
trimethylpurine
Okay, great! So post a piece that criticizes Trump.
This one failed to do that. And that makes it stink of fanaticism (which is annoying to rational folks).
gitaarik
Come on, you're defending a sinking ship ;). Trump might be right about a lot of things, but that doesn't make him right about everything. And he and his whole administration pretends he is. And it's just pathetic and laughable how they try to keep denying how their decisions where maybe not always the wisest or most responsible. I think that is just very unprofessional, and just plainly simply childish. And I think it's becoming more and more clear that that is actually the way it is. The worse it gets the more they go in denial and the more they blame the woke democrats for everything that's their failures. They just don't know what responsibility is and only know how to turn around the narrative to blame others and to make it seem like they're the best ever. You just can't make this stuff up. But I'm actually enjoying it, because they're falling now and they're gonna fall hard. Interesting times.
trimethylpurine
I'm not defending anything. I was criticizing an author.
Your commentary, just as well, might be interesting here if you were a chat bot.
This is HN, not CNN.
rpdillon
The dependencies weren't vendored, meaning their behavior can change at any time if a malicious actor gains control of that third-party repo.
This is bad for security.
trimethylpurine
Yes, I agree. And it's sadly, as we can see, still fairly standard practice to ignore it.
ranzhh
Are those references to 45 and 47 "Easter Eggs" to Trump's presidency number(s)? As in, forty-five-press (45th president) and Version 47.x.x (47th president), as well as the text message hotline (45470).
jruz
Is this a surprise to anyone?
andix
I would've expected worse. :)
ThaFresh
nice work, so they can get your location and have ICE scoop you up if required
colesantiago
This is a pretty standard decomplation of an Android app.
I am sure if you decompile other apps used by hundreds of thousands of people, you would find all sorts of tracking in there.
Thanks for helping the White House improve their app security for free though.
yellow_lead
Even in the apps I've worked on, you won't find us loading arbitrary JS from a random GitHub user's account.
colesantiago
> Even in the apps I've worked on, you won't find us loading arbitrary JS from a random GitHub user's account.
You'd be surprised how many apps inside have hacks and workarounds because deadlines.
crtasm
Let's see if anyone can give an example of such a high profile app doing something similar.
flutas
I've worked on a three letter sports orgs (one of NFL, NBA, NHL, etc) Android app.
I always joke that we could probably tell you what color and type your underwear is on any random day with how much data is siphoned off your phone.
As for loading random JS, yeah also seen that done that before. "Partner A wants to integrate their SDK in our webviews." -> "Partner A" SDK is just loading a JS chunk in that can do whatever they want in webviews, including load more files.
Don't get me started on the sports betting SDKs...
Though we do have a Security team constantly scanning SDKs and the endpoints for changes in situations like this.
jasonlotito
> As for loading random JS, yeah also seen that done that before.
Partner A is not random JS. The assumption there is 1) you have some official signed agreement with them and 2) you've done your due diligence to ensure you can use them in this way.
It's not just some person's GH repo who can freely change that file to whatever they want.
Hotlinking is as old as the internet, and a well-worn security threat.
-retardando-
> you won't find us loading arbitrary JS from a random GitHub user's account
You load arbitrary JS from a random GitHub user's NPM package. What's the difference?
gitaarik
True for any random game app in the Play store, and flashlight and note apps. But well reputable companies don't put too much weirdness into their apps.
Looks like what you might expect in a standard marketing app from a consultancy. They probably hired someone to develop it, that shop used their standard app architecure which includes location tracking code and the other stuff.