Security Researcher Decompiled White House App – Alarming Results

Android Headlines: “A security researcher decompiled the White House’s new official app and found some alarming stuff buried in the code, including a hidden GPS tracking pipeline, JavaScript loaded from a random GitHub account, no SSL certificate pinning, and an in-app browser that silently strips cookie consent dialogs and paywalls from every page you visit. Recently, The White House launched its own official app on iOS and Android, claiming that it gives users “unparalleled access to the Trump Administration”. After it launched, many tore it apart for the permissions it was asking for. Now, a security researcher pulled the APK and tore it apart to see what’s really going on. The app is a React Native build using Expo SDK 54, with WordPress powering the backend through a custom REST API. That’s pretty normal, as nearly 42% of all websites on the internet are powered by WordPress. But that’s just the start; now the nightmare begins. To start, the app has a full GPS tracking pipeline compiled in. Essentially, it’s set to poll your location every 4.5 minutes in the foreground, and 9.5 minutes in the background. It’s syncing latitude, longitude, accuracy, and timestamp data to OneSignal’s servers. These location permissions aren’t declared in the AndroidManifest, but they are hardcoded as runtime requests in the OneSignal SDK. Some have noted that the tracking only kicks in if the developer enables it server-side and the user grants permission, but it is there, ready to go…”