Forgot your password?
Close
typodupeerror
Security Software

White House App Is a Terrifying Security Mess (androidheadlines.com) 116

Posted by BeauHD from the behind-the-scenes dept.
New submitter spazmonkey writes: From a hidden GPS tracker polling your location every 4.5 minutes to JavaScript loaded from a random GitHub account, no SSL certificate pinning, and an in-app browser that silently strips cookie consent dialogs and paywalls from every page you visit, the new White House app seems to have a little bit of everything. A security researcher pulled the APK apart to discover the cybersecurity vulnerabilities. "The app is a React Native build using Expo SDK 54, with WordPress powering the backend through a custom REST API," reports Android Headlines. "That's pretty normal, as nearly 42% of all websites on the internet are powered by WordPress. But that's just the start; now the nightmare begins..." From the report: To start, the app has a full GPS tracking pipeline compiled in. Essentially, it's set to poll your location every 4.5 minutes in the foreground, and 9.5 minutes in the background. It's syncing latitude, longitude, accuracy, and timestamp data to OneSignal's servers. These location permissions aren't declared in the AndroidManifest, but they are hardcoded as runtime requests in the OneSignal SDK. Some have noted that the tracking only kicks in if the developer enables it server-side and the user grants permission, but it is there, ready to go.

And it gets even stranger. Apparently, the app is loading JavaScript from a random person's GitHub site for YouTube embeds. Yes, you read that right, it's just loading JavaScript from a random GitHub site. So if that account ever gets compromised, arbitrary code could run inside the app's WebView. There's also no SSL certificate pinning, meaning that traffic can potentially be intercepted on compromised networks like sketchy public WiFi or corporate proxies. The app also injects JavaScript and CSS into every page you visit in the in-app browser. This strips away cookie consent dialogs, GDPR banners, login walls, and paywalls. There's also leftover dev artifacts in the production build, including a localhost URL to the Metro bundler.

White House App Is a Terrifying Security Mess More | Reply

White House App Is a Terrifying Security Mess

Comments Filter:

  • Sounds like... (Score:5, Insightful)

    by korgitser ( 1809018 ) on Wednesday May 06, 2026 @07:11AM (#66129990)
    Sounds like anything else coming from White House...

  • Why do we need this? (Score:3, Insightful)

    by rossdee ( 243626 ) on Wednesday May 06, 2026 @07:14AM (#66129992)

    Who asked for this shit?

  • Play stupid games ... (Score:1)

    by Anonymous Coward

    ... get stupid prizes.

  • "If the lonelycpp GitHub account gets compromised" (Score:5, Insightful)

    by Registered Coward v2 ( 447531 ) on Wednesday May 06, 2026 @07:28AM (#66130010)

    I suspect, given the potential size of the user base as well as the potential high value users on the app, "if" should be when.

    In addition, given the developer's name 45-47-press, it would not surprise me if it was some Trump owned entity getting government money to develop it. Nothing like channeling some cash to your own pocket.

  • WordPress powering the backend

    Hahahah

  • What's that, Commie ? (Score:4)

    by greytree ( 7124971 ) on Wednesday May 06, 2026 @07:31AM (#66130014)
    "a hidden GPS tracker polling your location every 4.5 minutes"

    You say that like it's a bad thing.

    • Re: (Score:3)

      by PPH ( 736903 )

      I feel so left out. My phone doesn't have GPS. On the other hand, it doesn't do apps either.

      • Is it one of these? [wikipedia.org] Won't even take calls then.

        I particularly like the NoPhone Air. No phone, just air ... delivered in a plastic pouch.

        • Re: (Score:2)

          by PPH ( 736903 )

          Cheap flip phone that my carrier gave me (for free) when they moved to 5G and took my 3G service away. Practically all it does is make calls.

          When they are so kind as to give me one bar of signal, that is.

          • Ah, okay. I assume your flip-phone is 4G at least, but the lack of apps or GPS seems unusual.

            I once had a 3G flip-phone (Sanyo Katana DLX I think) but it had both.

          • yeah but that actually runs J2ME apps, despite your best wishes that it didnt. I used to use flip phones in those days... when ringtones were a thing.

    • Re: (Score:2)

      by GoTeam ( 5042081 )
      Heh, I wouldn't install the stupid app. If the government wants to track me, they have to do it the old fashioned way. They have to use cell towers, or the backdoor that Apple has surly given the US government already!

  • Stupidy squared (Score:4)

    by gtall ( 79522 ) on Wednesday May 06, 2026 @07:47AM (#66130034)

    How stupid must you be to run anything from this WH? In this day of web finger prints, once you are finger printed using this app, that finger print will get used by the Maggots to follow you everywhere.

  • This is what made the Web so successful and omnipresent while at the same time introducing this type of epically dimwitted security nightmares:

    The Web has nice pictures you can click on, meaning everybody has an opinion about it and wants to develop with and for it. That's not necessarily a bad thing, but most web "developers" (emphasis on the quotes) have no idea about how the web actually works and what secure-by-design actually entails.

    That's when you get this sort of thing, roughly 70%-80% of the time.

    I

    • All you say is true and yet there is still no excuse for this. The feds have plenty of competently developed websites. Then they have other pieces of dogshit like this. The FCC licensing database is one of the shittiest websites which ever existed. There's no excuse for that either.

      • It's the inevitable result of a system that treats procurement contracts primarily as opportunities for handing out corporate welfare or redirecting taxpayer money into your cronies'/family's/biggest donors' pockets.

        While you may occasionally luck into a quality deliverable, actual meeting of requirements is definitely not at the top of the list when it comes to deciding whom to hire.
      • Why would any competent person agree to work for Trump's White House? Seems like a career-limiting move to me.

        • Why would any competent person agree to work for Trump's White House? Seems like a career-limiting move to me.

          There are sadly many people who ought to know better who still support him. A person can be intelligent in some ways and not in others, or just have some kind of specific fault in logic which causes them to believe a specific stupid thing. I believe the majority of those cases are explained with cognitive dissonance, but it really boils down to willfully maintaining a blind spot to make oneself feel better.

          • Re: (Score:2)

            by unrtst ( 777550 )

            Why would any competent person agree to work for Trump's White House? Seems like a career-limiting move to me.

            There are sadly many people who ought to know better who still support him. ... I believe the majority of those cases are explained with cognitive dissonance, but it really boils down to willfully maintaining a blind spot to make oneself feel better.

            Agreed, but also worth noting that being employed by them is not the same as supporting them. Keep your friends close and enemy's closer. Or to simply introduce chaos to the system (this app sure seems like it was either incompetence or chaos malice). Why allow all their grifting handouts full success in handing common monies (taxpayer money) to their chosen recipients? Doesn't seem too bizarre to take the money while throwing wrenches in the works.

      • All you say is true and yet there is still no excuse for this. The feds have plenty of competently developed websites. Then they have other pieces of dogshit like this. The FCC licensing database is one of the shittiest websites which ever existed. There's no excuse for that either.

        No worries, 18F is on the case.

  • Everybody hates me

    "That's a good start."

  • Seems on brand. (Score:5, Funny)

    by fuzzyfuzzyfungus ( 1223518 ) on Wednesday May 06, 2026 @08:02AM (#66130054) Journal
    So it's alarmingly invasive and ignores established good practice; but in a staggeringly incompetent sort of way. Would it be the 'white house app' any other way?

  • When I had FB, LinkedIn etc accounts I always used them via the browser. Last I checked the LinkedIn app was some 400Mb in size. What is it all doing?

    So the WH is poorly written. Maybe Truth Social has "AI" coding agent which Trump used?

    Thank you for your attention to this matter!

    • That's what I think every time I see an app that is hundreds of megabites, I ask myself "what are they hiding in that bloated app that should be no more than 5 to 20 megabites"

      • Libraries. Why write code when you can just import an enormous library that already does that one simple thing you need.

        • Shouldn't we import three? Just in case one of the libraries has a bug? If 2 of three libraries give the same result, the other one is flawed.
      • I wonder about this as well. Old guy here. Back in the days I started programming (qbasic), I was impressed when I had a compiled program of 100 kbytes! Took a lot of work to get that far. These days, a simple form that does some calculations is easily a few megabytes.
        As an old guy who is out of touch with software development, I have the impression that there are way too many layers these days. At some point, that will start doing damage instead of being beneficial. As I encounter more and more websites

        • I wonder about this as well. Old guy here. Back in the days I started programming (qbasic), I was impressed when I had a compiled program of 100 kbytes! Took a lot of work to get that far. These days, a simple form that does some calculations is easily a few megabytes.

          As an old guy who is out of touch with software development, I have the impression that there are way too many layers these days. At some point, that will start doing damage instead of being beneficial. As I encounter more and more websites that do not work correctly, I sometimes ponder about it. Did we go a bridge too far already?

          Nah, probably just old.

          The answer is yes, but...

          All the techbros invested in More Compute (speed/size) as the path to AGI are idiots. Human deliberative consciousness and the human adaptive unconscious were not some inevitable, magical outcome of making neurons fire faster and brain volume larger. Quite the opposite cause-effect. The human mind isn't about the speed/size of the hardware, but about the complexity of the software that runs on that hardware. That is, consciousness IS the layers, or more precisely, a temporary emerge

  • This is just the latest app produced by the "I could code this in a weekend" crowd.
    • I once coded a web server in 2 weeks (Christmas vacation, everybody else was taking time off) to replace the webserver my bosses paid $100K for because the bloatware they paid money for had 5 bugs written against it that were assigned to me. So my barebones web server actually fixed all the issues, but it made my narcissist manager very mad at me for not asking first, even though there was nobody to ask until after the web server was finished. It took me a while to figure out why it made the managers so ups
    • Ah the flashy shiny team that is revolutionizing the software world by doing things 10x faster than those below average programmers from the competition?
      Making something work is the easy part.

  • Certificate pinning is evil (Score:3)

    by rtkluttz ( 244325 ) on Wednesday May 06, 2026 @08:27AM (#66130082) Homepage

    I hate how certificate pinning is a thing. It does NOT increase security from the end users perspective. The ONLY thing certificate pinning does is allows weaponizing of devices against the owner where they can not inspect their own traffic to confirm what is being sent. Without certificate pinning you still have full end to end encryption and man in the middle attacks are still secured as long as the 2 endpoints are secured because the caveat is that you have to have physically secured endpoints. But you should have that anyway. Certificate pinning only allows companies to secure the traffic in a way that keeps even the owner of one of those 2 endpoints from being able to confirm what is being sent. That should never be allowed to happen. When security is gauged on the ability of a company to secure traffic against one of the participants, then there is something bad wrong.

    • Re:Certificate pinning is evil (Score:4, Interesting)

      by ERJ ( 600451 ) on Wednesday May 06, 2026 @09:39AM (#66130186)
      So, I wouldn't say that's entirely correct. Certificate pinning is really around not trusting the CA Trust Store certs. i.e., if Verisign is compromised, you wouldn't be affected with a pinned cert. It is a funny thing to pull out though since (and maybe I'm just behind the times), I don't think hardly anyone uses pinned certs these days. There was a push for it 10+ years ago using HPKP but that created more mess than it was worth.

      I'm also a bit confused by the GPS thing. Sure, it is compiled in, but wouldn't the user be prompted to allow their location before it could be used? I'm not really even sure that it would prompt to allow without it being declared in the manifest.

      Not that I'm defending the app. It just seems more like the adage, "Never ascribe to malice that which can be explained by incompetence".

      • Agreed. It seems there are a number of security issues with this White House app (which I'll never install anyway,) but lack of pinning isn't really one of them.

      • The beg for forgiveness not permission approach of screwing users is tried and true. Many years just mash the okay button for anything they see if it means getting past a blocker that is preventing them from doing the thing they are trying to do. The same with Android Manifest, literally no one bothers reading them.

        The fundamental question isn't whether the user is informed of the tracking, it's, why is the tracking happening at all?

        • It's not, actually. The article breathlessly talks about how much location tracking it is doing, but then it adds at the end a note to the effect that "it's not actually able to do any of this tracking without asking for user permission, which it doesn't try to get." It looks like they used some SDK for notifications that includes the tracking capability but didn't actually request the needed permissions.

  • My first thought was

    """
    "what did you expect from a porn site..

    oh wait, oh whitehouse dot GOV not dot COM

    Oh yes, indeed sorry, my bad, I should have realized- the porn site would not have been so sloppy.
    """

    But on a serious note, I just about guarantee this hot mess was vibe coded and "the developer" is just some grifter who went all in on the "lets get a piece of the trump grift"

    Like honestly, the whole corruption/grift machine from the trump admin is actually a sort of working "trickle down grift"

    The majori

  • The number of American spies being caught or killed skyrocketed. I can't even imagine what it's like out there right now with basically zero operational security and that dumb fuck got us into a genuine War.

    I mean this is the same guy who is handing out classified documents as party favors at his golf club. How the fuck did we relax this idiot? 340 million Americans and we picked that...

  • Was this work contracted out to an Indian IT firm?

  • Who would have guessed? (Score:4, Insightful)

    by battingly ( 5065477 ) on Wednesday May 06, 2026 @09:11AM (#66130146)

    Gee, you staff the administration from top to bottom with incompetents and you get incompetence, ranging from pointless wars to lame apps. Who would have guessed?

    • That is how a normal person thinks.

      If you're MAGA then your thoughts are more like "At least the libs are suffering too".

      Oh well off to fill up the 30 gallon tank on my lifted F-150 for $150. Why would Obama do this?

      • Re: (Score:2)

        by dbialac ( 320955 )
        You know, research has shown that from a political perspective, a large majority of people, liberal or conservative, share the same exact values. This whole stupid shit with woke/MAGA comes down to the same ideas presented in the movie "PCU". "It's no longer us vs them, it's us vs. us". Thank you Mark Zuckerberg.

    • Re: (Score:1)

      by dbialac ( 320955 )
      The Iran war should have happened during the Clinton administration when gas was as low as $0.50/gallon. Nobody would have noticed the gas price increase because leading into it gas was about $1.25/gallon. Iran hadn't built as much redundancy in their government and this terrorist state would have been gone a long time ago. The lesson from this war and the Gaza war is that these governments don't give a damn about their own people, they just want to stay in power. I guess for them those 72 virgins are wort

      • I guess for them those 72 virgins are worth it. Still, 72 virgins won't be virgins for very long.

        That's why Bill got in line for the 72. (By the way, did anyone see the picture of Monica Lewinsky on the news this past week? She looks like she was possessed by a wraith.)

    • Man I miss the DEI initiatives before we started promoting DUI.

  • "Terrifying Security Mess" sums up the Trump regime all around.
  • But y'all know I'm not really. I'm surprised it doesn't have more "features" like sending all your contacts to a DOJ database, and sending every message you send to the FBI. There you go, v2.0's backlog stories for JIRA.

  • I can't really say it's bad for it to be doing these seemingly-bad things, until I know the answer to this: what is the app's intended purpose? Why would/should a person use it?

    If it's intended to inconvenience/expose/punish users for trying to find out things about the White House, then maybe the application is doing the right thing.

  • Do we like the GDPR banner stripping enough to say it offsets all of the other things?

  • Most of Trumps commercial products are hastily built, corner cutting, nonsense. Why would this be any different?

  • Who wrote it?

    Sounds like some janky offshored slop.

    Maybe it's janky American slop, but it would be good to know.

  • A shorter title would paint a more accurate picture: "White House Is a Terrifying Mess".

    Why single out a mere app in a raging multi-dumpster fire?

  • It's storing all the data in a Mar-a-Lago bathroom and ballroom -- and, Spoiler Alert, this is why Trump wants a bigger ballroom at the White House. :-)

    The constant GPS tracking is just to make it easier to qualify for a pardon should you storm the Capital (again) or participate in similar activities the Administration approves of, like at blue-state voting locations and state houses... Nothing to see here, move along. /s

  • The official White House mobile app was developed by a company called Dev Forty Five LLC. According to business registration records from the Utah Division of Corporations, the company was registered just nine days before the app's official launch on March 27. The registered agent for the company is listed as Ty Nielson.

Slashdot Top Deals

"The Computer made me do it."

Close