HN
Today

I decompiled the White House's new app

The White House's new official app, touted for 'unparalleled access,' turns out to be a React Native mess. A deep dive reveals aggressive location tracking, web injection to bypass consent dialogs and paywalls, and a slew of insecure third-party dependencies including code served from a personal GitHub Pages. This exposé has sparked debate on government tech competence, digital ethics, and the ironic utility of some of its controversial features.

162
Score
53
Comments
#5
Highest Rank
5h
on Front Page
First Seen
Mar 28, 4:00 PM
Last Seen
Mar 28, 8:00 PM
Rank Over Time
59855

The Lowdown

amarcheschi's post unveils a detailed technical breakdown of the new White House mobile application, a React Native creation built with Expo. Using decompilation tools like JADX, the author meticulously dissects the app's structure and behavior, revealing a series of eyebrow-raising design choices and potential vulnerabilities that contradict expectations for a government-issued application.

  • Architectural Overview: The app is built with React Native (Expo SDK 54), Hermes JS engine, and a WordPress backend with a custom REST API. It was developed by 'forty-five-press'.
  • Content Portal: Functions primarily as a news and information hub, providing articles, live streams, galleries, and policy information, along with promotional material for the administration. Hardcoded strings like 'THE TRUMP EFFECT' and links to ice.gov/webform/ice-tip-form are present.
  • Webview Injection: A critical finding is the app's injection of JavaScript into its internal WebView for external links. This script actively strips away cookie banners, GDPR consent dialogs, login/signup walls, upsell prompts, and paywall elements from third-party websites.
  • Location Tracking: Despite an withNoLocation Expo plugin, a complete GPS tracking pipeline is compiled into the app, capable of polling location every 4.5 minutes (foreground) or 9.5 minutes (background) and syncing data (latitude, longitude, accuracy, timestamp) to OneSignal's servers. This tracking is activated by a JS call and user permission.
  • Third-Party Dependencies & Security Risks: YouTube video embeds load player HTML from lonelycpp.github.io, a personal GitHub Pages site, posing a significant supply chain risk if the account is compromised. Elfsight JavaScript (elfsightcdn.com) is loaded for social media widgets, running unsandboxed within the WebView. Mailchimp handles email signups, and Uploadcare hosts images. The app lacks certificate pinning, making it vulnerable to MITM attacks with compromised CAs.
  • Development Artifacts: The production build includes several development-only artifacts, such as a localhost URL, a developer's local IP, and the Expo dev client, indicating sloppy release management.
  • Extensive User Profiling: OneSignal is used not just for push notifications but also for extensive user profiling, including tags, SMS numbers, cross-device aliases, and detailed tracking of notification and in-app message interactions.

The author concludes that while none of these practices might be illegal, they certainly fall short of what one would expect from an official government application, highlighting concerns around security, privacy, and development best practices.

The Gossip

Skepticism and Technical Nuance

A significant portion of the discussion revolved around verifying the article's claims, particularly concerning location tracking. Some commenters initially doubted the app's ability to track location without explicit permission or manifest declarations, while others pointed out that the article carefully stated the *capability* and the necessity of user consent. There was debate about whether the location permissions were truly absent from the AndroidManifest or declared in a different manner, with one commenter confirming Play Store listings show location access. The concept of 'dead code' vs. 'callable code' and the implications of the author's decompilation approach were also discussed.

Bypassing Banners: A 'Feature' Fiasco

Ironically, the app's feature of injecting JavaScript to strip cookie consent dialogs, GDPR banners, login walls, and paywalls was met with widespread, often sarcastic, approval. Many commenters lauded this as an unexpected 'benefit' for the user, likening it to an ad-blocker or reader mode functionality. This led to discussions about the general annoyance of such web elements and the unexpected positive outcome from an otherwise questionable technical implementation by a government entity.

Dependency Disasters & Developer Debacles

The revelations about loading JavaScript from a personal GitHub Pages site, integrating commercial SaaS widgets like Elfsight, and the presence of numerous dev artifacts in a production build sparked strong criticism. Commenters highlighted the severe supply chain attack risks posed by relying on unvetted, external, and mutable third-party resources. There was a consensus that such practices are highly unprofessional and dangerous for any application, let alone one from the White House, although some acknowledged that similar 'hacks due to deadlines' occur in many corporate apps.

Political Punditry & Predictable Pitfalls

The discussion frequently veered into the political context of the app's release, with many commenters attributing its shoddy development practices to the specific administration it represents. Terms like 'amateur hour' were used to describe the overall quality, linking it to a perceived distrust of experts. Some jokes were made about 'Easter Eggs' related to presidential numbers and the potential for surveillance (e.g., ICE tips). There was a general sentiment among some that such technical sloppiness was not surprising given the source.