White House App Is a Terrifying Security Mess (androidheadlines.com)
- Reference: 0183137472
- News link: https://it.slashdot.org/story/26/05/06/0424251/white-house-app-is-a-terrifying-security-mess
- Source link: https://www.androidheadlines.com/2026/05/a-security-researcher-decompiled-the-white-house-app-what-they-found-is-pretty-alarming.html
> From a hidden GPS tracker polling your location every 4.5 minutes to JavaScript loaded from a random GitHub account, no SSL certificate pinning, and an in-app browser that silently strips cookie consent dialogs and paywalls from every page you visit, the new White House app [2]seems to have a little bit of everything .
A security researcher [3]pulled the APK apart to discover the cybersecurity vulnerabilities. "The [4]app is a React Native build using Expo SDK 54, with WordPress powering the backend through a custom REST API," reports Android Headlines. "That's pretty normal, as nearly 42% of all websites on the internet are powered by WordPress. But that's just the start; now the nightmare begins..." From the report:
> To start, the app has a full GPS tracking pipeline compiled in. Essentially, it's set to poll your location every 4.5 minutes in the foreground, and 9.5 minutes in the background. It's syncing latitude, longitude, accuracy, and timestamp data to OneSignal's servers. These location permissions aren't declared in the AndroidManifest, but they are hardcoded as runtime requests in the OneSignal SDK. Some have noted that the tracking only kicks in if the developer enables it server-side and the user grants permission, but it is there, ready to go.
>
> And it gets even stranger. Apparently, the app is loading JavaScript from a random person's GitHub site for YouTube embeds. Yes, you read that right, it's just loading JavaScript from a random GitHub site. So if that account ever gets compromised, arbitrary code could run inside the app's WebView. There's also no SSL certificate pinning, meaning that traffic can potentially be intercepted on compromised networks like sketchy public WiFi or corporate proxies. The app also injects JavaScript and CSS into every page you visit in the in-app browser. This strips away cookie consent dialogs, GDPR banners, login walls, and paywalls. There's also leftover dev artifacts in the production build, including a localhost URL to the Metro bundler.
[1] https://slashdot.org/~spazmonkey
[2] https://www.androidheadlines.com/2026/05/a-security-researcher-decompiled-the-white-house-app-what-they-found-is-pretty-alarming.html
[3] https://thereallo.dev/blog/decompiling-the-white-house-app
[4] https://www.whitehouse.gov/app/
Why do we need this? (Score:4)
Who asked for this shit?
Re: Why do we need this? (Score:3)
American, freedom-loving voting public. So now Trump is expressing his freedom.
Re: (Score:3)
The people who buy the hundreds of tacky items with his name slapped on it.
Shoes, bibles, flags, shirts, diapers, you name it.
Re: (Score:2)
It's very flattering that a person was so bothered by my posts that they wrote a script to follow me.
Re: (Score:2)
>> The people who buy the hundreds of tacky items with his name slapped on it.
>> Shoes, bibles, flags, shirts, diapers, you name it.
> but not nukes.
> nukes aren't for everyone.
So, you're saying MAGA people who buy Trump merch can't buy nukes.
Uh ... good?
But you're saying diapers are okay.
Re: (Score:2)
Anyone who thinks they need current news about what Trump is doing. Personally, I find that VK.com has more comprehensive and up to date information.
Re: (Score:2)
How about - What is it, and why is it?
Play stupid games ... (Score:1)
... get stupid prizes.
Why are youy so hard on Baron Trumps (Score:1)
college project?
"If the lonelycpp GitHub account gets compromised" (Score:5, Insightful)
I suspect, given the potential size of the user base as well as the potential high value users on the app, "if" should be when.
In addition, given the developer's name 45-47-press, it would not surprise me if it was some Trump owned entity getting government money to develop it. Nothing like channeling some cash to your own pocket.
Correction (Score:2)
"forty-five-press" not 45-47-press.
Hahahahahahah (Score:2)
> WordPress powering the backend
Hahahah
What's that, Commie ? (Score:3)
"a hidden GPS tracker polling your location every 4.5 minutes"
You say that like it's a bad thing.
Re: (Score:3)
I feel so left out. My phone doesn't have GPS. On the other hand, it doesn't do apps either.
Re: (Score:2)
Is it one of [1]these? [wikipedia.org] Won't even take calls then.
I particularly like the NoPhone Air. No phone, just air ... delivered in a plastic pouch.
[1] https://en.wikipedia.org/wiki/NoPhone
Re: (Score:2)
Cheap flip phone that my carrier gave me (for free) when they moved to 5G and took my 3G service away. Practically all it does is make calls.
When they are so kind as to give me one bar of signal, that is.
Re: (Score:2)
Ah, okay. I assume your flip-phone is 4G at least, but the lack of apps or GPS seems unusual.
I once had a 3G flip-phone (Sanyo Katana DLX I think) but it had both.
Re: (Score:2)
Heh, I wouldn't install the stupid app. If the government wants to track me, they have to do it the old fashioned way. They have to use cell towers, or the backdoor that Apple has surly given the US government already!
Stupidy squared (Score:3)
How stupid must you be to run anything from this WH? In this day of web finger prints, once you are finger printed using this app, that finger print will get used by the Maggots to follow you everywhere.
Re: (Score:2)
It's nothing new. Google already created this feature long ago.
The classic web development problem. (Score:2)
This is what made the Web so successful and omnipresent while at the same time introducing this type of epically dimwitted security nightmares:
The Web has nice pictures you can click on, meaning everybody has an opinion about it and wants to develop with and for it. That's not necessarily a bad thing, but most web "developers" (emphasis on the quotes) have no idea about how the web actually works and what secure-by-design actually entails.
That's when you get this sort of thing, roughly 70%-80% of the time.
I
Re: (Score:3)
All you say is true and yet there is still no excuse for this. The feds have plenty of competently developed websites. Then they have other pieces of dogshit like this. The FCC licensing database is one of the shittiest websites which ever existed. There's no excuse for that either.
Re: The classic web development problem. (Score:2)
It's the inevitable result of a system that treats procurement contracts primarily as opportunities for handing out corporate welfare or redirecting taxpayer money into your cronies'/family's/biggest donors' pockets.
While you may occasionally luck into a quality deliverable, actual meeting of requirements is definitely not at the top of the list when it comes to deciding whom to hire.
Re: (Score:2)
Why would any competent person agree to work for Trump's White House? Seems like a career-limiting move to me.
Re: (Score:3)
> Why would any competent person agree to work for Trump's White House? Seems like a career-limiting move to me.
There are sadly many people who ought to know better who still support him. A person can be intelligent in some ways and not in others, or just have some kind of specific fault in logic which causes them to believe a specific stupid thing. I believe the majority of those cases are explained with cognitive dissonance, but it really boils down to willfully maintaining a blind spot to make oneself feel better.
Re: (Score:2)
>> Why would any competent person agree to work for Trump's White House? Seems like a career-limiting move to me.
> There are sadly many people who ought to know better who still support him. ... I believe the majority of those cases are explained with cognitive dissonance, but it really boils down to willfully maintaining a blind spot to make oneself feel better.
Agreed, but also worth noting that being employed by them is not the same as supporting them. Keep your friends close and enemy's closer. Or to simply introduce chaos to the system (this app sure seems like it was either incompetence or chaos malice). Why allow all their grifting handouts full success in handing common monies (taxpayer money) to their chosen recipients? Doesn't seem too bizarre to take the money while throwing wrenches in the works.
Let's start addressing the issues, one by one (Score:2)
Everybody hates me
"That's a good start."
Seems on brand. (Score:4)
So it's alarmingly invasive and ignores established good practice; but in a staggeringly incompetent sort of way. Would it be the 'white house app' any other way?
Avoid all custom apps like the plague (Score:2)
When I had FB, LinkedIn etc accounts I always used them via the browser. Last I checked the LinkedIn app was some 400Mb in size. What is it all doing?
So the WH is poorly written. Maybe Truth Social has "AI" coding agent which Trump used?
Thank you for your attention to this matter!
Re: Avoid all custom apps like the plague (Score:2)
That's what I think every time I see an app that is hundreds of megabites, I ask myself "what are they hiding in that bloated app that should be no more than 5 to 20 megabites"
Re: (Score:3)
Libraries. Why write code when you can just import an enormous library that already does that one simple thing you need.
Latest app... (Score:2)
This is just the latest app produced by the "I could code this in a weekend" crowd.
Re: (Score:1)
I once coded a web server in 2 weeks (Christmas vacation, everybody else was taking time off) to replace the webserver my bosses paid $100K for because the bloatware they paid money for had 5 bugs written against it that were assigned to me. So my barebones web server actually fixed all the issues, but it made my narcissist manager very mad at me for not asking first, even though there was nobody to ask until after the web server was finished. It took me a while to figure out why it made the managers so ups
Certificate pinning is evil (Score:3)
I hate how certificate pinning is a thing. It does NOT increase security from the end users perspective. The ONLY thing certificate pinning does is allows weaponizing of devices against the owner where they can not inspect their own traffic to confirm what is being sent. Without certificate pinning you still have full end to end encryption and man in the middle attacks are still secured as long as the 2 endpoints are secured because the caveat is that you have to have physically secured endpoints. But you should have that anyway. Certificate pinning only allows companies to secure the traffic in a way that keeps even the owner of one of those 2 endpoints from being able to confirm what is being sent. That should never be allowed to happen. When security is gauged on the ability of a company to secure traffic against one of the participants, then there is something bad wrong.
Re:Certificate pinning is evil (Score:4, Interesting)
So, I wouldn't say that's entirely correct. Certificate pinning is really around not trusting the CA Trust Store certs. i.e., if Verisign is compromised, you wouldn't be affected with a pinned cert. It is a funny thing to pull out though since (and maybe I'm just behind the times), I don't think hardly anyone uses pinned certs these days. There was a push for it 10+ years ago using HPKP but that created more mess than it was worth.
I'm also a bit confused by the GPS thing. Sure, it is compiled in, but wouldn't the user be prompted to allow their location before it could be used? I'm not really even sure that it would prompt to allow without it being declared in the manifest.
Not that I'm defending the app. It just seems more like the adage, "Never ascribe to malice that which can be explained by incompetence".
Re: (Score:2)
Agreed. It seems there are a number of security issues with this White House app (which I'll never install anyway,) but lack of pinning isn't really one of them.
what did you expect from a... (Score:2)
My first thought was
"""
"what did you expect from a porn site..
oh wait, oh whitehouse dot GOV not dot COM
Oh yes, indeed sorry, my bad, I should have realized- the porn site would not have been so sloppy.
"""
But on a serious note, I just about guarantee this hot mess was vibe coded and "the developer" is just some grifter who went all in on the "lets get a piece of the trump grift"
Like honestly, the whole corruption/grift machine from the trump admin is actually a sort of working "trickle down grift"
The majori
The last time Trump was president (Score:3)
The number of American spies being caught or killed skyrocketed. I can't even imagine what it's like out there right now with basically zero operational security and that dumb fuck got us into a genuine War.
I mean this is the same guy who is handing out classified documents as party favors at his golf club. How the fuck did we relax this idiot? 340 million Americans and we picked that...
Re: (Score:2)
> This will be the last time I open this article....
And nothing of value will be lost.
Re: (Score:2)
Trump has made it is mission in life to undo everything Obama ever did, including the ACA and the JCPOA.
Re: (Score:2)
We had one a decade ago. [1]https://obamawhitehouse.archiv... [archives.gov]
But since it was implemented by a black guy the orange guy had to tear it up for being "unfair".
[1] https://obamawhitehouse.archives.gov/node/328996
Re: (Score:2)
> No nukes for Iran.
Second year in a row they were obliterated! A job so nice he did it twice?
> What kind of moron supports what Iran is doing?
Lol. Troll harder, troll.
> It's absurd.
Indeed.
Re: (Score:2)
> What kind of moron supports what Iran is doing?
> Why would you want Iran to get nukes?
Why do you keep posing questions with unsubstantiated premises?
I daresay nobody here wants to see a nuclear-armed Iran. We differ on how to prevent that from happening.
Re: (Score:2)
Mentally this person has to believe there was no other option than the current one.
To believe otherwise would mean Trump was wrong but more dire is the idea that Obama and the liberals were right and this type of person would just rather die than admit that. Their brain is no longer allowed to process such a thought.
Re: (Score:2)
Iran wasn't making nuclear weapons a priority until Trump decided to illegally attack them. Now, why would they agree to not develop ANY sort of weapons when you have Netanyahu and Trump violating almost every written rule for what is allowed when it comes to war? Rule one: You do NOT target civilians, at any time, and when you target a school with children inside, that is a clear violation of international law.
So now, we went from "Iran is using proxy groups to cause trouble", to Iran directly causing
Re: (Score:2)
You mean the guy that unilaterally pulled out of the Iran nuclear nonproliferation agreement, then had to go back and bomb and kill little girls to "fix" the problem he himself created?
Curious (Score:2)
Was this work contracted out to an Indian IT firm?
Who would have guessed? (Score:5, Insightful)
Gee, you staff the administration from top to bottom with incompetents and you get incompetence, ranging from pointless wars to lame apps. Who would have guessed?
Re: (Score:2)
That is how a normal person thinks.
If you're MAGA then your thoughts are more like "At least the libs are suffering too".
Oh well off to fill up the 30 gallon tank on my lifted F-150 for $150. Why would Obama do this?
Re: (Score:2)
You know, research has shown that from a political perspective, a large majority of people, liberal or conservative, share the same exact values. This whole stupid shit with woke/MAGA comes down to the same ideas presented in the movie "PCU". "It's no longer us vs them, it's us vs. us". Thank you Mark Zuckerberg.
Re: (Score:1)
The Iran war should have happened during the Clinton administration when gas was as low as $0.50/gallon. Nobody would have noticed the gas price increase because leading into it gas was about $1.25/gallon. Iran hadn't built as much redundancy in their government and this terrorist state would have been gone a long time ago. The lesson from this war and the Gaza war is that these governments don't give a damn about their own people, they just want to stay in power. I guess for them those 72 virgins are wort
Re: (Score:2)
Payback is a motherfucker. Maybe we shouldn't have overthrown the shah back in 1953 over oil? [1]https://en.wikipedia.org/wiki/... [wikipedia.org]
[1] https://en.wikipedia.org/wiki/1953_Iranian_coup_d'%C3%A9tat
Re: (Score:1)
> I guess for them those 72 virgins are worth it. Still, 72 virgins won't be virgins for very long.
That's why Bill got in line for the 72. (By the way, did anyone see the picture of Monica Lewinsky on the news this past week? She looks like she was possessed by a wraith.)
So is the White House (Score:1)
"Terrifying Security Mess" sums up the Trump regime all around.
Re: So is the White House (Score:2)
The US Gov outlived it's usefulness, it needs to be completely rebuilt from the ground up with accountability so criminal behavior is severely punished, not wanting to destroy a democrstic republic just wanting it to be truly benevolent to everyone not just the banker billionaire class
Was coming to say ... I'm shocked! Shocked! (Score:2)
But y'all know I'm not really. I'm surprised it doesn't have more "features" like sending all your contacts to a DOJ database, and sending every message you send to the FBI. There you go, v2.0's backlog stories for JIRA.
Before I condemn it... (Score:2)
I can't really say it's bad for it to be doing these seemingly-bad things, until I know the answer to this: what is the app's intended purpose? Why would/should a person use it?
If it's intended to inconvenience/expose/punish users for trying to find out things about the White House, then maybe the application is doing the right thing.
Sounds like... (Score:5, Insightful)
Sounds like anything else coming from White House...