I decompiled the White House's new app
a day ago
- #privacy_concerns
- #security_analysis
- #government_app
- The White House app is a React Native application using Expo SDK 54 and Hermes, with a WordPress backend providing content via custom REST API endpoints.
- It injects JavaScript into third-party websites to hide cookie consent dialogs, GDPR banners, login walls, and paywalls, overriding user interface elements.
- The app includes a location tracking pipeline via OneSignal, capable of polling GPS every 4.5 minutes in foreground and 9.5 minutes in background, dependent on user permissions and settings.
- It loads external JavaScript from unofficial sources like a personal GitHub Pages account for YouTube embeds and Elfsight for social media widgets, posing potential security risks.
- User data is collected extensively, including emails via Mailchimp, images from Uploadcare, and tracking through OneSignal for tags, SMS numbers, aliases, and interactions.
- The app lacks certificate pinning, making it vulnerable to traffic interception on networks with compromised certificate authorities.
- Production builds contain development artifacts such as localhost URLs, hardcoded developer IPs, and leftover components like the Expo dev client and Compose PreviewActivity.
- Permissions include fine and coarse location requests at runtime, along with others for notifications, storage, and biometric hardware, as listed on Google Play.
- It uses numerous third-party libraries for functionality, including push notifications, analytics, networking, and multimedia, with 25 native .so libraries in the arm64 split.