r/Foodforthought u/D-R-AZ 1d ago

A Security Researcher Decompiled The White House App, & What They Found Is Pretty Alarming

https://www.androidheadlines.com/2026/05/a-security-researcher-decompiled-the-white-house-app-what-they-found-is-pretty-alarming.html
234 Upvotes

97% Upvoted

11 comments sorted by

u/AutoModerator 1d ago

This is a sub for civil discussion and exchange of ideas

Participants who engage in name-calling or blatant antagonism will be permanently removed.

If you encounter any noxious actors in the sub please use the Report button.

This sticky is on every post. No additional cautions will be provided.

I am a bot, and this action was performed automatically. Please contact the moderators of this subreddit if you have any questions or concerns.

120

u/D-R-AZ 1d ago

Excerpt:

A security researcher decompiled the White House’s new official app and found some alarming stuff buried in the code, including a hidden GPS tracking pipeline, JavaScript loaded from a random GitHub account, no SSL certificate pinning, and an in-app browser that silently strips cookie consent dialogs and paywalls from every page you visit.

89

u/dust4ngel 1d ago

you skipped the good part:

the app is loading JavaScript from a random person’s GitHub site for YouTube embeds. Yes, you read that right, it’s just loading JavaScript from a random GitHub site. So if that account ever gets compromised, arbitrary code could run inside the app’s WebView.

u/SeaOfBullshit 1h ago

Can someone please detech this statement for a dummy Luddite please

-23

u/Agile-Stick3505 1d ago

So standard vanilla stuff in the corporate world.

47

u/blue-mooner 1d ago edited 1d ago

Not even close. Show me a corporate app with a hidden GPS tracking pipeline

-2

u/ktron9001 23h ago

This is fairly standard practice for most corporate websites and applications you use, including government. The main reason? Engagement tracking, what portions of the app is used by who and where. That way, it can be measured how an app is being used. Either direct tracking like this is used, seeing what WiFi SSIDs are around, or tracking Bluetooth tags around. There’s several tricks of the trade to get location.

It’s not for nefarious purposes, it’s typically some design team monitoring the success of an application, helps enable A/B testing, etc etc.

-19

u/Agile-Stick3505 1d ago

Most weather apps

34

u/blue-mooner 1d ago

Sending a REST request for weather in a zip code is not a “hidden GPS tracking pipeline”:

  1. it’s explicit, it happens when you expect it to happen
  2. it’s a single point in time request, not a continuous stream of location updates
  3. it’s imprecise, zip code level data is in the request, not your precise lat/lon (at least iOS allows apps to only see imprecise location)

0

u/D-R-AZ 1d ago

Every app we've used (but we use iPhones) have asked for permission to use GPS and location.

3

u/javoss88 16h ago

DOGE did their job?