A bit skeptical of how this article is written as it seems to be mostly written by AI. Out of curiosity, I downloaded the app and it doesn't request location permissions anywhere, despite the claims in the article.
I've noticed Claude Code is happy to decompile APKs for you but isn't very good at doing reachability analysis or figuring out complex control flows. It will treat completely dead code as important as a commonly invoked function.
The permissions snippet they show also doesn't include location, and you can't request location at runtime at all without declaring it there.
I'd verify all this stuff for myself, but Play won't install it in my phone so I can't really get the APK. Maybe because I use Graphene...? but I don't know all the ways they can restrict it, maybe it's something else (though for a pixel 9a it's rather strange if it's hardware based).
--- EDIT ---
To be specific / add what I can check, this is what my Play Store "about -> permissions" is showing:
Version 47.0.1 may request access to
Other:
run at startup
Google Play license check
view network connections
prevent phone from sleeping
show notifications
com.google.android.c2dm.permission.RECEIVE
control vibration
have full network access
which appears fairly normal, and does not include location, and I think Play includes runtime location requests there. Maybe there's a version-rollout happening, or device-type targeting?
It can request with a JS call. It can't passively collect it without you approving first. The article is written like calling that JS function will turn on location tracking without consent.
It doesn't have to lie: unfortunately libraries that are essentially a full application themselves (complete with their own permissions) are not uncommon on mobile.
So it could come across a manifest that includes location permissions and some code that would (if enabled) send location, but it might do a bad job properly tracing
I think you should make proper counter arguments instead of dismissing something because they used a specific tool.
Ad-HomineLLM is a logical fallacy IMO and adds little value. I would hope eventually HN and other sites add this to the guidelines similar to other claims like vote manipulation etc.
Looks like what you might expect in a standard marketing app from a consultancy. They probably hired someone to develop it, that shop used their standard app architecure which includes location tracking code and the other stuff.
The location tracking code is within the OneSignal SDK - which is just a standard messaging platform for sending emails/push messages to users. It doesn't have some magical permissions bypass, the app itself has to request it.
If only the US Digital Service still existed as an agency to do this right. Too bad it's now been hollowed out to be DOGE, subject to multiple active lawsuits.
And r8 which does tree shaking to remove dead code is not smart enough to understand react native so it won't strip it out without extra work from the developer.
Cross referencing these different things in the article to other apps that exist was my first thought as these seem pretty generic and probably reused from somewhere else.
The Polish covid quarantine app was famously adapted from some app for store inspectors or something, as it already implemented most of the required functionalities, like asking for photos via push at random times, sending them along with a location etc.
They likely did a search-and-replace on the brand name, so you had strings like 'your invoices from Home Quarantine inc' in the code.
Not a bad thing per se, getting the app out the door asap was definitely a priority in that project for understandable reasons, but funny nonetheless.
Scrolling is extremely poorly behaved on that page for me too, Firefox 149 Windows 10. Which is quite ironic coming from an article that mainly criticizes the web dev aspects of the app!
The argument regarding no certificate pinning seems to miss that just because I might be on a network that MITM's TLS traffic doesn't mean my device trusts the random CA used by the proxy. I'd just get a TLS error, right?
Not if someone can issue the certificate signed by the CA your phone trust.
Imagine being in a cafe nearby, say, embassy of the certain north African country known for pervasive and wide espionage actions, which decides to hijack traffic in this cafe.
Or imagine living in the country where almost all of the cabinet is literally (officially) being paid by the propaganda/lobbying body of such country.
Or living int he country where lawful surveillance can happen without the jury signoff, but at a while of any police officer.
This is stopped by certificate transparency logs. Your software should refuse to accept a certificate which hasn’t been logged in the transparency logs, and if a rogue CA issues a fraudulent certificate, it will be detected.
I don't believe it's supposed to proactively check the logs as that would inevitably break in the presence of properly configured MITM middleboxes which are present on many (most?) corporate networks.
The point of the logs as I understand it is to surface events involving official CAs after the fact.
Clients are supposed to check. For example, Apple requires a varying number of SCTs in order for Safari to trust server certificates. https://support.apple.com/en-us/103214
Certificate transparency doesn't prevent misissuance, it only makes detection easier after the fact. Someone still needs to be monitoring CT and revoke the cert. I actually believe most HTTP stacks on Android don't even check cert revocations by default.
> Imagine being in a cafe nearby, say, embassy of the certain north African country known for pervasive and wide espionage actions, which decides to hijack traffic in this cafe.
How would they get your phone to trust their CA? Connecting to a Wi-Fi network doesn’t change which CAs a device trusts.
Because there is a quadrillion trusted CAs in every device you might use. A good chunk of these CAs have been compromised at one point or another, and rogue certificates are sold in the dark market. Also any goverment can coerce a domiciled CA to issue certs for their needs.
China telecom regularly has BGP announcements that conflict with level3's ASNs.
Just as a hint in case you want to dig more into the topic, RIR data is publicly available, so you can verify yourself who the offenders are.
Also check out the Geedge leaked source code, which also implements TLS overrides and inspection on a country scale. A lot of countries are customers of Geedge's tech stack, especially in the Middle East.
Just sayin' it's more common than you're willing to acknowledge.
Well yes, CAs and the ICANN model of DNS are intertwined and fundamentally broken in multiple ways. However the system as a whole is largely "good enough" as can be seen from its broad success under highly adversarial conditions in the real world.
Ok, fair point. However, I would consider any MDM-enabled device fully "compromised" in the sense that the org can see and modify everything I do on it.
An MDM orga cannot install a trusted CA on non-supervised (company owned) devices. By default on BYOD these are untrusted and require manual trust. It also cannot see everything on your device - certainly not your email, notes or files, or app data.
As someone who has an MDM-managed device, I beg to differ. Although, this one uses newer style android MDM, which involves factory resetting and doing special things during OOBE. Even if it used the older style, nothing's stopping the app for requesting file access, notification access, etc. and not working until you grant the permissions.
> That's a personal GitHub Pages site. If the lonelycpp GitHub account gets compromised, whoever controls it can serve arbitrary HTML and JavaScript to every user of this app, executing inside the WebView context.
I was promised a meritocracy and non stop winning. When do those begin?
> An official United States government app is injecting CSS and JavaScript into third-party websites to strip away their cookie consent dialogs, GDPR banners, login gates, and paywalls.
So at least it does something actually beneficial for the user! I wish it could go even further, the way Reader Mode in a browser would go.
> An official United States government app is injecting CSS and JavaScript into third-party websites to strip away their cookie consent dialogs, GDPR banners, login gates, and paywalls.
Giving people a taste of web with Ublock Origin annoyance filters applied, refreshing. Can’t believe orange man regime is doing one thing right.
> The official White House Android app has a cookie/paywall bypass injector, tracks your GPS every 4.5 minutes (9.5m when in background), and loads JavaScript from some guy's GitHub Pages (“lonelycpp” is acct, loads iframe viewer page).
Doesn’t seem too crazy for a generic react native app but of course coming from the official US government, it’s pretty wide open to supply chain attacks. Oh and no one should be continually giving the government their location. Pretty crazy that the official government is injecting JavaScript into web views to override the cookie banners and consent forms - it is often part of providing legal consent to the website TOS. But legal consent is not their strong suit I guess.
And when the app links off to an EU site? Nothing prevents an EU user from using this app. There are a variety of Trump enthusiasts, though I suspect less than there are here in the US.
Quite honestly, it’d be hilarious to see the clown car response from the White House if some EU bureaucrats tried to enforce their GDPR rules on the White House though. “Lol Make us” is the nicest response I can guess at.
They conduct a pervasive, hidden, persistent user tracking not only without consent, looking at the analysis, but also stripping the user from a chance of declining tracking on other sites.
Which federal law would be relevant here? I'm only aware of California and EU laws that might be. But, I'm fairly certain they don't apply to the US government because of several Constitutional and international laws superseding.
I'm not sure. If there is an attorney to answer that would be interesting.
"An official United States government app is injecting CSS and JavaScript into third-party websites to strip away their cookie consent dialogs, GDPR banners, login gates, and paywalls."
In their defense, this is the first thing the Trump admin has done that's unambiguously positive for ordinary people.
I too love it when US imperialism invades digital spaces, just ignore how the US treats people critical of its own government (not just referring to the Trump admin here) then yeah sure great.
Let me know when this can ignore malware/adware from US companies then I'll give accolades.
> An official United States government app is injecting CSS and JavaScript into third-party websites to strip away their cookie consent dialogs, GDPR banners, login gates, and paywalls.
Rare Trump administration W. I'm assuming there's one particular website they open in the app that shows a cookie popup, and this was a dev's heavy-handed way of making that go away.
"Amateur hour" is basically their theme. They were swept in on a wave of distrust for people who know what they're talking about. They were elected to tear down Chesterton's fence, even (and especially) the parts holding in the face-eating leopards.
To mix the metaphors further, they (the politicians and their supporters) fancy themselves the kind to dream of things that never were and ask why not. Why not have a war in Iran? You won't know until you give it a try.
Using somebody's stuff is different than hot-linking directly to a hosted version of it, even just from the perspective that dude could delete it at any time and break the whole app.
Are you aware that common libraries like Bootstrap, FontAwesome, and HTMX walk developers through linking to their CDNs directly? In fact, FontAwesome recommends it for CDN performance.
I think you're dangerously mistaken if you believe that it "literally never" happens. It literally does happen all the damned time. And, for your own safety and others', you should assume that when you use any app for which you don't have the source code.
It's always a better idea to make a local copy of it.
Imagine they're downloading a project directly from your GitHub account. Even if you're not doing anything malicious and have no intention of doing anything malicious even after you've been aware of this, now all of a sudden your GitHub account / email is a huge target for anyone that wants to do something malicious.
I don't know if you're being serious or not, but in case you are: There is a difference between (re)using other people's open sourced code, hopefully reviewed, and giving anyone in control of the third party repository the ability to run arbitrary code on your user's devices. Even if the "random GitHub repo" doesn't contain any malicious code right now, it may well contain some tomorrow.
Completely agree. This is really unique. Can you imagine if it were standard practice to be open to supply chain attacks like that, by blindly relying on hotlinked or unpinned dependencies?
Why imagine? Let's take a quick look at what's actually happening right now. We can check some widely used libraries and see what their instructions are teaching new developers.
Pay close attention, they are inviting the new developer to link not just to Bootstrap, but to Popper!
HTMX (code snippet from their quick start guide):
```
<script src="https://cdn.jsdelivr.net/npm/htmx.org@2.0.8/dist/htmx.min.js"></script>
<!-- have a button POST a click via AJAX -->
<button hx-post="/clicked" hx-swap="outerHTML">
Click Me
</button>
```
Fontawesome: A video quick start guide and instructions that recommends using the direct link to the kits via CDN for performance!
Look, I certainly don't think they should be used this way. But, to say that it's unique to the White House app? I definitely wouldn't say that. In fact, I think you've dangerously overestimated the status quo.
All good for you to make those choices for yourself. Your response seems to be show ignorance of all the recent supply chain attacks that have occurred. You can imagine that given the situation with the shoe gifts that many high up members of the administration and cabinet members are running this app.
I'm well aware of supply chain attacks. But this isn't a supply chain attack. If it were, the article would be way more interesting.
The supply chain attack articles are interesting exactly because this is so common. So what's special here other than it being loosely related to a disliked political figure? HN isn't supposed to be an especially political website.
"A common app is doing the same thing that basically every other app is doing."
Is that a good headline? No. And this isn't a good article.
Every default setup on every website and app for the last five or so years has been encouraging users to add pronouns, making it difficult to avoid it, even my iPhone asks me to add each person’s pronouns when I add a new contact. I don’t know why Siri needs to know that, but it’s there. There’s one website I use that won’t let you sign up as a contributor without “completing your profile”, which includes mandatory pronouns.
I guess there’s some workplaces where it’d be useful for me to update these, probably the ones Apple PMs work in.
I would imagine it would be useful in 100% of English-speaking workplaces because all workplaces have the expectation of English communication, which pronouns are essential for. If I'm writing an email or a chat message, I will typically have to use a pronoun.
Inferring pronouns has always been dumb and annoying. Many names don't have obvious pronouns, for example, the name "Taylor". Is that he or she? And clicking the little profile icon and squinting to see if someone is a man or a woman is also a waste of time. It's a lot easier for everyone if it just tells you the pronoun.
> If I'm writing an email or a chat message, I will typically have to use a pronoun.
It's not that hard to just avoid it. I send emails to a lot of people I haven't spoken to and don't know their gender, so I write gender-neutral emails.
Well, it's past the edit window, and of course I accept the downvotes, but I realize that I should have provided a bit more context.
In the US, the faction in power right now is attacking perceived symbols of "woke" ideology, and one of them is the use of pronouns.
As I understand it, some government agencies are even forbidding the use of pronouns in e-mail signatures etc. So it struck me as ironic that a software component with pronouns would have evaded their notice.
Are those references to 45 and 47 "Easter Eggs" to Trump's presidency number(s)? As in, forty-five-press (45th president) and Version 47.x.x (47th president), as well as the text message hotline (45470).
I've worked on a three letter sports orgs (one of NFL, NBA, NHL, etc) Android app.
I always joke that we could probably tell you what color and type your underwear is on any random day with how much data is siphoned off your phone.
As for loading random JS, yeah also seen that done that before. "Partner A wants to integrate their SDK in our webviews." -> "Partner A" SDK is just loading a JS chunk in that can do whatever they want in webviews, including load more files.
Don't get me started on the sports betting SDKs...
Though we do have a Security team constantly scanning SDKs and the endpoints for changes in situations like this.
> As for loading random JS, yeah also seen that done that before.
Partner A is not random JS. The assumption there is 1) you have some official signed agreement with them and 2) you've done your due diligence to ensure you can use them in this way.
It's not just some person's GH repo who can freely change that file to whatever they want.
Hotlinking is as old as the internet, and a well-worn security threat.
The comments in here are pretty rich. If this was any other app, everyone would be screaming about "why are you being mean to the author", flagging posts left and right.
Nah, I suspect any app that's loading arbitrary JS from somebody's random GitHub page would get called out for that behavior. We're getting supply chain attacks daily.
That is some impressive willful ignorance. “If it was anybody else threatening to beat this guy up for what he was saying, you’d probably praise them. But a cop does it one time and …”
> Is it what you'd expect from an official government app? Probably not either.
Since when is the government a slick and efficiently run outfit that produces secure and well-done software products? Does no one remember the original Obamacare launch?
It’s hard to imagine a smug article like this dissecting a product of some other administration. There’s something very weird and off about stuff like this.
You omitted these items immediately above that line:
Injects JavaScript into every website you open through its in-app browser to hide cookie consent dialogs, GDPR banners, login walls, signup walls, upsell prompts, and paywalls.
Has a full GPS tracking pipeline compiled in that polls every 4.5 minutes in the foreground and 9.5 minutes in the background, syncing lat/lng/accuracy/timestamp to OneSignal's servers.
Loads JavaScript from a random person's GitHub Pages site (lonelycpp.github.io) for YouTube embeds. If that account is compromised, arbitrary code runs in the app's WebView.
Loads third-party JavaScript from Elfsight (elfsightcdn.com/platform.js) for social media widgets, with no sandboxing.
Sends email addresses to Mailchimp, images are served from Uploadcare, and a
Truth Social embed is hardcoded with static CDN URLs. None of this is government infrastructure.
Has no certificate pinning. Standard Android trust management.
Ships with dev artifacts in production. A localhost URL, a developer IP (10.4.4.109), the Expo dev client, and an exported Compose PreviewActivity.
Profiles users extensively through OneSignal - tags, SMS numbers, cross-device aliases, outcome tracking, notification interaction logging, in-app message click tracking, and full user state observation.
> It’s hard to imagine a smug article like this dissecting a product of some other administration
Did the other administration put a "fake news" and "report to ICE" and grifting link to their own social network in their apps? I feel like you are perhaps papering over a whole lot of general shittiness of this app that didn't exist in less amateur previous administrations that at least tried to follow the norms.
> It’s hard to imagine a smug article like this dissecting a product of some other administration.
Yes, that's because this administration is uniquely awful. Basically every single thing this administration does is bad. Often so bad that it's legitimately impressive just how incompetent our leaders our.
Obviously previous administrations were not perfect, but to sit here and pretend that they are on the same level is delusion.
Yes, giving a terorist regime billions of dollars of US tax payer money is so much more competent than decapitating it in a few hours. The “Emma’s Two Moms” campaign was a much more competent recruiting strategy. If we have anymore competence, we’ll be broke!
I've noticed Claude Code is happy to decompile APKs for you but isn't very good at doing reachability analysis or figuring out complex control flows. It will treat completely dead code as important as a commonly invoked function.
I'd verify all this stuff for myself, but Play won't install it in my phone so I can't really get the APK. Maybe because I use Graphene...? but I don't know all the ways they can restrict it, maybe it's something else (though for a pixel 9a it's rather strange if it's hardware based).
--- EDIT ---
To be specific / add what I can check, this is what my Play Store "about -> permissions" is showing:
which appears fairly normal, and does not include location, and I think Play includes runtime location requests there. Maybe there's a version-rollout happening, or device-type targeting?The article does not claim the app requests the location. It claims it can do it with a single JS call.
How would you have written it differently
so can ... any other code anywhere on a mobile device? That is how API work...
From the (limited) article, it doesn't seem they do this: https://thereallo.dev/blog/decompiling-the-white-house-app#p...
----
EDIT: I'm mistaken. From the Play Store[0] it has access to
* approximate location (network-based)
* precise location (GPS and network-based)
[0] https://play.google.com/store/apps/details?id=gov.whitehouse...
This seems to disagree with:
> The location permissions aren't declared in the AndroidManifest but requested at runtime
*shrug*, someone should dig deeper. It looks like the article may not match reality.
The Play Store doesn't show these permissions when viewed on my Pixel 9 Pro, and the APK doesn't have these permissions when downloaded/extracted.
Is there something in particular that made you conclude that or are you going just with how it felt?
For what it's worth, it didn't seem to me.
from the iphone app store: version 47.0.1 - minor bug fixes - 34 minutes ago
while the parent posted 18 minutes ago
they may have patched the location stuff as part of the “minor bug fixes”?
No location permission request prompting encountered. In system settings, where each app requesting location data is listed, it isn't present either.
So it could come across a manifest that includes location permissions and some code that would (if enabled) send location, but it might do a bad job properly tracing
Ad-HomineLLM is a logical fallacy IMO and adds little value. I would hope eventually HN and other sites add this to the guidelines similar to other claims like vote manipulation etc.
HN doesn’t have guidelines against anti-LLM rhetoric, but it does for LLM-generated comments.
> Don't post generated comments or AI-edited comments. HN is for conversation between humans.
https://news.ycombinator.com/newsguidelines.html#generated
What are your taxes paying for?
https://en.wikipedia.org/wiki/United_States_Digital_Service
Cross referencing these different things in the article to other apps that exist was my first thought as these seem pretty generic and probably reused from somewhere else.
They likely did a search-and-replace on the brand name, so you had strings like 'your invoices from Home Quarantine inc' in the code.
Not a bad thing per se, getting the app out the door asap was definitely a priority in that project for understandable reasons, but funny nonetheless.
Firefox 148.0.2 (Build #2016148295), 15542f265e9eb232f80e52c0966300225d0b1cb7 GV: 148.0.2-20260309125808 AS: 148.0.1 OS: Android 14
Imagine being in a cafe nearby, say, embassy of the certain north African country known for pervasive and wide espionage actions, which decides to hijack traffic in this cafe.
Or imagine living in the country where almost all of the cabinet is literally (officially) being paid by the propaganda/lobbying body of such country.
Or living int he country where lawful surveillance can happen without the jury signoff, but at a while of any police officer.
Maybe its not common but frequent enough.
The point of the logs as I understand it is to surface events involving official CAs after the fact.
And yes, it does break MITM use cases, for example on Chrome: https://httptoolkit.com/blog/chrome-android-certificate-tran...
How would they get your phone to trust their CA? Connecting to a Wi-Fi network doesn’t change which CAs a device trusts.
https://www.eff.org/deeplinks/2011/08/iranian-man-middle-att...
https://support.apple.com/en-us/126047
The chances of zero of these CAs having been compromised by state-level actors seems… slim.
Do you trust "Hongkong Post Root CA 3" not to fuck with things?
Your link's from 2011; the US government was still in the trusted list until 2018. https://www.idmanagement.gov/implement/announcements/04_appl...
China telecom regularly has BGP announcements that conflict with level3's ASNs.
Just as a hint in case you want to dig more into the topic, RIR data is publicly available, so you can verify yourself who the offenders are.
Also check out the Geedge leaked source code, which also implements TLS overrides and inspection on a country scale. A lot of countries are customers of Geedge's tech stack, especially in the Middle East.
Just sayin' it's more common than you're willing to acknowledge.
https (specifically the CA chain of trust) is imperfect, and can be compromised by well-placed parties.
Reader mode was the only thing that made it readable.
I was promised a meritocracy and non stop winning. When do those begin?
So at least it does something actually beneficial for the user! I wish it could go even further, the way Reader Mode in a browser would go.
Giving people a taste of web with Ublock Origin annoyance filters applied, refreshing. Can’t believe orange man regime is doing one thing right.
Doesn’t seem too crazy for a generic react native app but of course coming from the official US government, it’s pretty wide open to supply chain attacks. Oh and no one should be continually giving the government their location. Pretty crazy that the official government is injecting JavaScript into web views to override the cookie banners and consent forms - it is often part of providing legal consent to the website TOS. But legal consent is not their strong suit I guess.
I'm not an attorney, but I don't find any cases that extend beyond that.
I'm quite sure that's illegal.
I'm not sure. If there is an attorney to answer that would be interesting.
In their defense, this is the first thing the Trump admin has done that's unambiguously positive for ordinary people.
I'd love it somehow taken out of it and made available for the general public. Custom uBlock / Adblock filers will be probably the easiest.
Let me know when this can ignore malware/adware from US companies then I'll give accolades.
Rare Trump administration W. I'm assuming there's one particular website they open in the app that shows a cookie popup, and this was a dev's heavy-handed way of making that go away.
To mix the metaphors further, they (the politicians and their supporters) fancy themselves the kind to dream of things that never were and ask why not. Why not have a war in Iran? You won't know until you give it a try.
https://news.ycombinator.com/newsguidelines.html#generated
Did you find something malicious in the random GitHub repo? If so, you should write an article about that instead.
https://www.encryptionconsulting.com/top-10-supply-chain-att...
Are you aware that common libraries like Bootstrap, FontAwesome, and HTMX walk developers through linking to their CDNs directly? In fact, FontAwesome recommends it for CDN performance.
I think you're dangerously mistaken if you believe that it "literally never" happens. It literally does happen all the damned time. And, for your own safety and others', you should assume that when you use any app for which you don't have the source code.
Imagine they're downloading a project directly from your GitHub account. Even if you're not doing anything malicious and have no intention of doing anything malicious even after you've been aware of this, now all of a sudden your GitHub account / email is a huge target for anyone that wants to do something malicious.
Boostrap (code snippet from their quick start instructions): ``` <head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <title>Bootstrap demo</title> <link href="https://cdn.jsdelivr.net/npm/bootstrap@5.3.8/dist/css/bootst..." rel="stylesheet" integrity="sha384-sRIl4kxILFvY47J16cr9ZwB07vP4J8+LH7qKQnuqkuIAvNWLzeN8tE5YBujZqJLB" crossorigin="anonymous"> </head>
<script src="https://cdn.jsdelivr.net/npm/@popperjs/core@2.11.8/dist/umd/..." integrity="sha384-I7E8VVD/ismYTF4hNIPjVp/Zjvgyol6VFvRkX/vR+Vc4jQkC+hVqc2pM8ODewa9r" crossorigin="anonymous"></script> <script src="https://cdn.jsdelivr.net/npm/bootstrap@5.3.8/dist/js/bootstr..." integrity="sha... ```
Pay close attention, they are inviting the new developer to link not just to Bootstrap, but to Popper!
HTMX (code snippet from their quick start guide): ``` <script src="https://cdn.jsdelivr.net/npm/htmx.org@2.0.8/dist/htmx.min.js"></script> <!-- have a button POST a click via AJAX --> <button hx-post="/clicked" hx-swap="outerHTML"> Click Me </button> ```
Fontawesome: A video quick start guide and instructions that recommends using the direct link to the kits via CDN for performance!
Look, I certainly don't think they should be used this way. But, to say that it's unique to the White House app? I definitely wouldn't say that. In fact, I think you've dangerously overestimated the status quo.
I'm well aware of supply chain attacks. But this isn't a supply chain attack. If it were, the article would be way more interesting.
The supply chain attack articles are interesting exactly because this is so common. So what's special here other than it being loosely related to a disliked political figure? HN isn't supposed to be an especially political website.
"A common app is doing the same thing that basically every other app is doing."
Is that a good headline? No. And this isn't a good article.
This is bad for security.
A random person with pronouns, no less. That means the code is “woke.”
I guess there’s some workplaces where it’d be useful for me to update these, probably the ones Apple PMs work in.
Inferring pronouns has always been dumb and annoying. Many names don't have obvious pronouns, for example, the name "Taylor". Is that he or she? And clicking the little profile icon and squinting to see if someone is a man or a woman is also a waste of time. It's a lot easier for everyone if it just tells you the pronoun.
It's not that hard to just avoid it. I send emails to a lot of people I haven't spoken to and don't know their gender, so I write gender-neutral emails.
In the US, the faction in power right now is attacking perceived symbols of "woke" ideology, and one of them is the use of pronouns.
As I understand it, some government agencies are even forbidding the use of pronouns in e-mail signatures etc. So it struck me as ironic that a software component with pronouns would have evaded their notice.
I have no problem with the use of pronouns.
I am sure if you decompile other apps used by hundreds of thousands of people, you would find all sorts of tracking in there.
Thanks for helping the White House improve their app security for free though.
You'd be surprised how many apps inside have hacks and workarounds because deadlines.
I always joke that we could probably tell you what color and type your underwear is on any random day with how much data is siphoned off your phone.
As for loading random JS, yeah also seen that done that before. "Partner A wants to integrate their SDK in our webviews." -> "Partner A" SDK is just loading a JS chunk in that can do whatever they want in webviews, including load more files.
Don't get me started on the sports betting SDKs...
Though we do have a Security team constantly scanning SDKs and the endpoints for changes in situations like this.
Partner A is not random JS. The assumption there is 1) you have some official signed agreement with them and 2) you've done your due diligence to ensure you can use them in this way.
It's not just some person's GH repo who can freely change that file to whatever they want.
Hotlinking is as old as the internet, and a well-worn security threat.
Is there a cabinet member for the Department of Apps?
It's a throwaway app, probably written by someone that posts here.
I’d prefer they not release shoddily build propaganda apps
If any of those 3 is true, the bar should be higher than what someone just did in their free time? I would surely expect more.
Since when is the government a slick and efficiently run outfit that produces secure and well-done software products? Does no one remember the original Obamacare launch?
It’s hard to imagine a smug article like this dissecting a product of some other administration. There’s something very weird and off about stuff like this.
Injects JavaScript into every website you open through its in-app browser to hide cookie consent dialogs, GDPR banners, login walls, signup walls, upsell prompts, and paywalls.
Has a full GPS tracking pipeline compiled in that polls every 4.5 minutes in the foreground and 9.5 minutes in the background, syncing lat/lng/accuracy/timestamp to OneSignal's servers.
Loads JavaScript from a random person's GitHub Pages site (lonelycpp.github.io) for YouTube embeds. If that account is compromised, arbitrary code runs in the app's WebView.
Loads third-party JavaScript from Elfsight (elfsightcdn.com/platform.js) for social media widgets, with no sandboxing.
Sends email addresses to Mailchimp, images are served from Uploadcare, and a Truth Social embed is hardcoded with static CDN URLs. None of this is government infrastructure.
Has no certificate pinning. Standard Android trust management.
Ships with dev artifacts in production. A localhost URL, a developer IP (10.4.4.109), the Expo dev client, and an exported Compose PreviewActivity.
Profiles users extensively through OneSignal - tags, SMS numbers, cross-device aliases, outcome tracking, notification interaction logging, in-app message click tracking, and full user state observation.
Did the other administration put a "fake news" and "report to ICE" and grifting link to their own social network in their apps? I feel like you are perhaps papering over a whole lot of general shittiness of this app that didn't exist in less amateur previous administrations that at least tried to follow the norms.
The only case they cite of an actual intervention resulting seems... entirely legit?
> An adult entertainment club lost its liquor license after a dancer and others were seen not wearing masks, the state said.
People call 911 for goofy things, too.
Also I'd say the federal government's approach to ICE deportations is a little stronger than even the COVID measures.
Yes, that's because this administration is uniquely awful. Basically every single thing this administration does is bad. Often so bad that it's legitimately impressive just how incompetent our leaders our.
Obviously previous administrations were not perfect, but to sit here and pretend that they are on the same level is delusion.