White House App Is a Terrifying Security Mess (androidheadlines.com) 166
New submitter spazmonkey writes: From a hidden GPS tracker polling your location every 4.5 minutes to JavaScript loaded from a random GitHub account, no SSL certificate pinning, and an in-app browser that silently strips cookie consent dialogs and paywalls from every page you visit, the new White House app seems to have a little bit of everything. A security researcher pulled the APK apart to discover the cybersecurity vulnerabilities. "The app is a React Native build using Expo SDK 54, with WordPress powering the backend through a custom REST API," reports Android Headlines. "That's pretty normal, as nearly 42% of all websites on the internet are powered by WordPress. But that's just the start; now the nightmare begins..." From the report: To start, the app has a full GPS tracking pipeline compiled in. Essentially, it's set to poll your location every 4.5 minutes in the foreground, and 9.5 minutes in the background. It's syncing latitude, longitude, accuracy, and timestamp data to OneSignal's servers. These location permissions aren't declared in the AndroidManifest, but they are hardcoded as runtime requests in the OneSignal SDK. Some have noted that the tracking only kicks in if the developer enables it server-side and the user grants permission, but it is there, ready to go.
And it gets even stranger. Apparently, the app is loading JavaScript from a random person's GitHub site for YouTube embeds. Yes, you read that right, it's just loading JavaScript from a random GitHub site. So if that account ever gets compromised, arbitrary code could run inside the app's WebView. There's also no SSL certificate pinning, meaning that traffic can potentially be intercepted on compromised networks like sketchy public WiFi or corporate proxies. The app also injects JavaScript and CSS into every page you visit in the in-app browser. This strips away cookie consent dialogs, GDPR banners, login walls, and paywalls. There's also leftover dev artifacts in the production build, including a localhost URL to the Metro bundler.
And it gets even stranger. Apparently, the app is loading JavaScript from a random person's GitHub site for YouTube embeds. Yes, you read that right, it's just loading JavaScript from a random GitHub site. So if that account ever gets compromised, arbitrary code could run inside the app's WebView. There's also no SSL certificate pinning, meaning that traffic can potentially be intercepted on compromised networks like sketchy public WiFi or corporate proxies. The app also injects JavaScript and CSS into every page you visit in the in-app browser. This strips away cookie consent dialogs, GDPR banners, login walls, and paywalls. There's also leftover dev artifacts in the production build, including a localhost URL to the Metro bundler.
Sounds like... (Score:5, Insightful)
Re:Sounds like... (Score:5, Funny)
Which one? .gov or .com?
Re: (Score:3)
Why do we need this? (Score:3, Insightful)
Who asked for this shit?
Re: Why do we need this? (Score:3)
Re:Why do we need this? (Score:4, Insightful)
The people who buy the hundreds of tacky items with his name slapped on it.
Shoes, bibles, flags, shirts, diapers, you name it.
Re: (Score:2)
You know the difference between a chickpea and garbanzo bean, right?
Trump wouldn't let a garbanzo bean on him...
Re:Why do we need this? (Score:4, Insightful)
It's very flattering that a person was so bothered by my posts that they wrote a script to follow me.
Re: (Score:2)
You got me to look at AC.
Unthanks.
Re: (Score:2)
Re: (Score:2)
It's not hard to notice morons like you
Indeed, we have easily noticed that morons like him quite a bit. They like him so much they can't help themselves from replying to his posts with pointless drivel.
Re: (Score:2)
The people who buy the hundreds of tacky items with his name slapped on it.
Shoes, bibles, flags, shirts, diapers, you name it.
but not nukes.
nukes aren't for everyone.
So, you're saying MAGA people who buy Trump merch can't buy nukes.
Uh ... good?
But you're saying diapers are okay.
Re: Why do we need this? (Score:2)
People who are full of shit need diapers
Re: (Score:3)
Anyone who thinks they need current news about what Trump is doing. Personally, I find that VK.com has more comprehensive and up to date information.
Re: (Score:2)
Re:Why do we need this? (Score:5, Funny)
Who asked for this shit?
Who asked for global tariffs, even on uninhabited islands [npr.org] (okay, penguins live there), destroying the the East Wing of the White House, a (soon to be $1B taxpayer funded [pbs.org]) ballroom, a 250 foot Arc de Trump [wikipedia.org], Trump's face on coins and passports, his signature on currency, trying to annex Greenland, or starting a war with Iran -- to try and (so far fail to) achieve the same results as the Iran Nuclear Deal (JCPOA) [wikipedia.org] Trump that abandoned in his first term (probably 'cause "Obama") and, now, *reopen* the Strait of Hormuz, that was previously completely unencumbered.
Not the voters. I'm guessing ego and dementia.
[Huge (*sigh*).]
"If the lonelycpp GitHub account gets compromised" (Score:5, Insightful)
I suspect, given the potential size of the user base as well as the potential high value users on the app, "if" should be when.
In addition, given the developer's name 45-47-press, it would not surprise me if it was some Trump owned entity getting government money to develop it. Nothing like channeling some cash to your own pocket.
Correction (Score:2)
Hahahahahahah (Score:2)
WordPress powering the backend
Hahahah
What's that, Commie ? (Score:4)
You say that like it's a bad thing.
Re: (Score:3)
I feel so left out. My phone doesn't have GPS. On the other hand, it doesn't do apps either.
Re: (Score:2)
Is it one of these? [wikipedia.org] Won't even take calls then.
I particularly like the NoPhone Air. No phone, just air ... delivered in a plastic pouch.
Re: (Score:2)
Cheap flip phone that my carrier gave me (for free) when they moved to 5G and took my 3G service away. Practically all it does is make calls.
When they are so kind as to give me one bar of signal, that is.
Re: (Score:2)
Ah, okay. I assume your flip-phone is 4G at least, but the lack of apps or GPS seems unusual.
I once had a 3G flip-phone (Sanyo Katana DLX I think) but it had both.
Re: (Score:2)
yeah but that actually runs J2ME apps, despite your best wishes that it didnt. I used to use flip phones in those days... when ringtones were a thing.
Re: (Score:2)
Re: (Score:2)
You think it's going to remain optional ?
Re: (Score:2)
The bizarre thing is that they're acting like this is something that was deeply hidden.
Hint: Apps that don't ask you--very overtly--for permission to use GPS can't use GPS. When something asks, and you think it's sus, say no and just uninstall the app.
You're in far more danger of harm by being exposed to the actual content being published from the White House than you are the app itself.
Stupidy squared (Score:3, Informative)
How stupid must you be to run anything from this WH? In this day of web finger prints, once you are finger printed using this app, that finger print will get used by the Maggots to follow you everywhere.
Re: (Score:2)
Re: (Score:2)
The classic web development problem. (Score:2)
This is what made the Web so successful and omnipresent while at the same time introducing this type of epically dimwitted security nightmares:
The Web has nice pictures you can click on, meaning everybody has an opinion about it and wants to develop with and for it. That's not necessarily a bad thing, but most web "developers" (emphasis on the quotes) have no idea about how the web actually works and what secure-by-design actually entails.
That's when you get this sort of thing, roughly 70%-80% of the time.
I
Re: (Score:3)
All you say is true and yet there is still no excuse for this. The feds have plenty of competently developed websites. Then they have other pieces of dogshit like this. The FCC licensing database is one of the shittiest websites which ever existed. There's no excuse for that either.
Re: The classic web development problem. (Score:3)
While you may occasionally luck into a quality deliverable, actual meeting of requirements is definitely not at the top of the list when it comes to deciding whom to hire.
Re: (Score:2)
Re:The classic web development problem. (Score:5, Insightful)
Why would any competent person agree to work for Trump's White House? Seems like a career-limiting move to me.
There are sadly many people who ought to know better who still support him. A person can be intelligent in some ways and not in others, or just have some kind of specific fault in logic which causes them to believe a specific stupid thing. I believe the majority of those cases are explained with cognitive dissonance, but it really boils down to willfully maintaining a blind spot to make oneself feel better.
Re: (Score:2)
Why would any competent person agree to work for Trump's White House? Seems like a career-limiting move to me.
There are sadly many people who ought to know better who still support him. ... I believe the majority of those cases are explained with cognitive dissonance, but it really boils down to willfully maintaining a blind spot to make oneself feel better.
Agreed, but also worth noting that being employed by them is not the same as supporting them. Keep your friends close and enemy's closer. Or to simply introduce chaos to the system (this app sure seems like it was either incompetence or chaos malice). Why allow all their grifting handouts full success in handing common monies (taxpayer money) to their chosen recipients? Doesn't seem too bizarre to take the money while throwing wrenches in the works.
Re: (Score:2)
Why would any competent person agree to work for Trump's White House? Seems like a career-limiting move to me. Money.
It doesn't matter if it significantly limits future career options.. they are making bank on insider trading and there's always a future continuing to take money from the MAGA legion in the way of books, appearances, swag.
Re: (Score:2)
All you say is true and yet there is still no excuse for this. The feds have plenty of competently developed websites. Then they have other pieces of dogshit like this. The FCC licensing database is one of the shittiest websites which ever existed. There's no excuse for that either.
No worries, 18F is on the case.
Let's start addressing the issues, one by one (Score:2)
Everybody hates me
"That's a good start."
Seems on brand. (Score:5, Funny)
Re: (Score:2)
Not exactly. What they don't mention is that this requires the Location Services permission, which you, as a user, have to explicitly accept.
If you've got an Android phone I'm sure you've seen this dialog before. Even Maps has to ask the first time you run it.
There's definitely some incompetence involved in the app, but for entirely different reasons. Pulling code from a live github repository is probably pushing dangerously close to violating Google's app policies, since whatever the hell it is downloa
Avoid all custom apps like the plague (Score:2)
When I had FB, LinkedIn etc accounts I always used them via the browser. Last I checked the LinkedIn app was some 400Mb in size. What is it all doing?
So the WH is poorly written. Maybe Truth Social has "AI" coding agent which Trump used?
Thank you for your attention to this matter!
Re: Avoid all custom apps like the plague (Score:2)
Re: Avoid all custom apps like the plague (Score:4)
Libraries. Why write code when you can just import an enormous library that already does that one simple thing you need.
Re: (Score:2)
Re: (Score:2)
As an old guy who is out of touch with software development, I have the impression that there are way too many layers these days. At some point, that will start doing damage instead of being beneficial. As I encounter more and more websites
Re: (Score:2)
I wonder about this as well. Old guy here. Back in the days I started programming (qbasic), I was impressed when I had a compiled program of 100 kbytes! Took a lot of work to get that far. These days, a simple form that does some calculations is easily a few megabytes.
As an old guy who is out of touch with software development, I have the impression that there are way too many layers these days. At some point, that will start doing damage instead of being beneficial. As I encounter more and more websites that do not work correctly, I sometimes ponder about it. Did we go a bridge too far already?
Nah, probably just old.
The answer is yes, but...
All the techbros invested in More Compute (speed/size) as the path to AGI are idiots. Human deliberative consciousness and the human adaptive unconscious were not some inevitable, magical outcome of making neurons fire faster and brain volume larger. Quite the opposite cause-effect. The human mind isn't about the speed/size of the hardware, but about the complexity of the software that runs on that hardware. That is, consciousness IS the layers, or more precisely, a temporary emerge
Re: (Score:2)
There are exactly zero human minds running flawless perfect cognition.
Hello? I'm standing right here...
Re: (Score:2)
Naturally I assumed /. readers would already be familiar with The Kackle Exception.
Re: (Score:2)
Latest app... (Score:2)
Re: (Score:2)
Making something work is the easy part.
Certificate pinning is evil (Score:5, Interesting)
I hate how certificate pinning is a thing. It does NOT increase security from the end users perspective. The ONLY thing certificate pinning does is allows weaponizing of devices against the owner where they can not inspect their own traffic to confirm what is being sent. Without certificate pinning you still have full end to end encryption and man in the middle attacks are still secured as long as the 2 endpoints are secured because the caveat is that you have to have physically secured endpoints. But you should have that anyway. Certificate pinning only allows companies to secure the traffic in a way that keeps even the owner of one of those 2 endpoints from being able to confirm what is being sent. That should never be allowed to happen. When security is gauged on the ability of a company to secure traffic against one of the participants, then there is something bad wrong.
Re:Certificate pinning is evil (Score:5, Interesting)
I'm also a bit confused by the GPS thing. Sure, it is compiled in, but wouldn't the user be prompted to allow their location before it could be used? I'm not really even sure that it would prompt to allow without it being declared in the manifest.
Not that I'm defending the app. It just seems more like the adage, "Never ascribe to malice that which can be explained by incompetence".
Re: (Score:2)
Agreed. It seems there are a number of security issues with this White House app (which I'll never install anyway,) but lack of pinning isn't really one of them.
Re: (Score:2)
The beg for forgiveness not permission approach of screwing users is tried and true. Many years just mash the okay button for anything they see if it means getting past a blocker that is preventing them from doing the thing they are trying to do. The same with Android Manifest, literally no one bothers reading them.
The fundamental question isn't whether the user is informed of the tracking, it's, why is the tracking happening at all?
what did you expect from a... (Score:2)
My first thought was
"""
"what did you expect from a porn site..
oh wait, oh whitehouse dot GOV not dot COM
Oh yes, indeed sorry, my bad, I should have realized- the porn site would not have been so sloppy.
"""
But on a serious note, I just about guarantee this hot mess was vibe coded and "the developer" is just some grifter who went all in on the "lets get a piece of the trump grift"
Like honestly, the whole corruption/grift machine from the trump admin is actually a sort of working "trickle down grift"
The majori
The last time Trump was president (Score:2)
I mean this is the same guy who is handing out classified documents as party favors at his golf club. How the fuck did we relax this idiot? 340 million Americans and we picked that...
Re: (Score:3)
We had one a decade ago. https://obamawhitehouse.archiv... [archives.gov]
But since it was implemented by a black guy the orange guy had to tear it up for being "unfair".
Re: (Score:2)
No nukes for Iran.
Second year in a row they were obliterated! A job so nice he did it twice?
What kind of moron supports what Iran is doing?
Lol. Troll harder, troll.
It's absurd.
Indeed.
Re: (Score:2)
At least he didn't feel the need to rape Thrace thrice.
Re: (Score:3)
What kind of moron supports what Iran is doing?
Why would you want Iran to get nukes?
Why do you keep posing questions with unsubstantiated premises?
I daresay nobody here wants to see a nuclear-armed Iran. We differ on how to prevent that from happening.
Re: (Score:2)
Mentally this person has to believe there was no other option than the current one.
To believe otherwise would mean Trump was wrong but more dire is the idea that Obama and the liberals were right and this type of person would just rather die than admit that. Their brain is no longer allowed to process such a thought.
Re:The last time Trump was president (Score:5, Informative)
Iran wasn't making nuclear weapons a priority until Trump decided to illegally attack them. Now, why would they agree to not develop ANY sort of weapons when you have Netanyahu and Trump violating almost every written rule for what is allowed when it comes to war? Rule one: You do NOT target civilians, at any time, and when you target a school with children inside, that is a clear violation of international law.
So now, we went from "Iran is using proxy groups to cause trouble", to Iran directly causing trouble, and that is ENTIRELY the fault of Trump and Netanyahu. Both men should be tried and sent to prison, along with those who went along with their illegal orders.
Re:The last time Trump was president (Score:5, Informative)
See the thing about that is you generally expect your leaders to present evidence of that and I mean in 2018 when he tore the deal up.
At least Bush had the wherewithal to make up some evidence, Trump didn't even bother, that's how little he thinks of you (and he's right).
Re: (Score:3)
Re: (Score:2)
"Mean Trump forced peaceful and innocent Iran to hold the entire world hostage."
Unironically yes. Not that Iran is peaceful but Trump literally forced this outcome from them. He gave them no choice but to pursue a nuke, we took away the only exit path for them not to.
Re: (Score:3)
Mean Trump forced peaceful and innocent Iran to hold the entire world hostage.
Yes. Oh wait were you joking or trying to be funny? Well if you were you came across completely ignorantly. Iran wasn't attacking the world (they had problems at home, but the world was largely untouched). By attacking Iran with an overwhelming force Trump literally in every sense of the word "literally" forced Iran to use the only leverage they had against the "strongest" nation in the world.
Unfortunately your king is an idiot and didn't realise just how much leverage they had. Apparently step 1 in the Ar
Re: (Score:2)
Re:The last time Trump was president (Score:5, Informative)
The ACA needs to die a glorious, hot, fiery death
Agreed. It's an abomination. Single Payer is the only solution.
Re: (Score:2)
Re: (Score:2)
This will be the last time I open this article....
And nothing of value will be lost.
Re: (Score:2)
Curious (Score:2)
Was this work contracted out to an Indian IT firm?
Who would have guessed? (Score:5, Insightful)
Gee, you staff the administration from top to bottom with incompetents and you get incompetence, ranging from pointless wars to lame apps. Who would have guessed?
Re:Who would have guessed? (Score:4, Insightful)
That is how a normal person thinks.
If you're MAGA then your thoughts are more like "At least the libs are suffering too".
Oh well off to fill up the 30 gallon tank on my lifted F-150 for $150. Why would Obama do this?
Re: (Score:2)
Re: (Score:2)
That's true. The whole left-vs-right deal was really cooked up by billionaires who know if that the proles are fighting each other, they're not ganging up to go after them.
That's the whole point - if we're fighting each other on silly things, we would be too busy to realize the real enemy which are the elite trying to hog all the money. The energy used to deny a pe
Re: (Score:3)
Iran is currently holding the whole world hostage
Use that alcohol soaked brain of yours and think real hard as to what lead up to Iran doing this.
Re: (Score:2)
Man I miss the DEI initiatives before we started promoting DUI.
Re: (Score:2)
Payback is a motherfucker. Maybe we shouldn't have overthrown the shah back in 1953 over oil? https://en.wikipedia.org/wiki/... [wikipedia.org]
Re: (Score:2)
Re: (Score:2)
Sure. After all, 60% purity isn't weapons-grade, but it can become weapons-grade in weeks.
Weapons-grade uranium is 90%. The JCPOA limited Iran's enrichment to 3.67%.
Where are you getting this 60% figure?
Re: (Score:3)
Iran announced in 2021 it would begin enriching to 60% due to various reasons.
The JCPOA was created in 2015 and took effect at the beginning of 2016. It limited Iran's enrichment of uranium to a maximum of 3.67%.
Trump tore up the JCPOA in 2018, during his first term.
Consequently, Iran was no longer constrained by the JCPOA in 2021.
Too bad Trump tore it up then. He could have just let it run for its 10-year lifespan and renegotiated a renewal now. Instead, we have the current shitshow.
Re: (Score:2)
Was coming to say ... I'm shocked! Shocked! (Score:2)
Before I condemn it... (Score:2)
I can't really say it's bad for it to be doing these seemingly-bad things, until I know the answer to this: what is the app's intended purpose? Why would/should a person use it?
If it's intended to inconvenience/expose/punish users for trying to find out things about the White House, then maybe the application is doing the right thing.
GDPR (Score:2)
Do we like the GDPR banner stripping enough to say it offsets all of the other things?
whose surprised? (Score:2)
Made in America? (Score:2)
Who wrote it?
Sounds like some janky offshored slop.
Maybe it's janky American slop, but it would be good to know.
Another title that's too long (Score:2)
A shorter title would paint a more accurate picture: "White House Is a Terrifying Mess".
Why single out a mere app in a raging multi-dumpster fire?
Well, duh ... (Score:2)
It's storing all the data in a Mar-a-Lago bathroom and ballroom -- and, Spoiler Alert, this is why Trump wants a bigger ballroom at the White House. :-)
The constant GPS tracking is just to make it easier to qualify for a pardon should you storm the Capital (again) or participate in similar activities the Administration approves of, like at blue-state voting locations and state houses... Nothing to see here, move along. /s
Who wrote the mobile app ? (Score:2)
Re: (Score:2)
Why do I not load up apps for everyth... (Score:2)
Ah, that's right. Because I resent my cell provider, every interest group I have even a minimal interest in, some store I bought something from, oh, wait, I just browsed their site, every other whatever I've encountered on the Web, pushing me to load their app.
All so they can track my activity on their site more easily, track whatever else I do, where I've been, other sites/interests/exposure to anything else I've encountered.
Don't be so naive as to think the current Administration is unique in this. Past A
Re: So is the White House (Score:2)
Re: (Score:2)
Yeah we'd have no tariffs and no $5 gallon gasoline.
Re: (Score:2)
This. The parent AC is peddling false equivalence.
Re: (Score:3)
Please don't use "hard on" and "Barron Trump" in the same sentence. I just threw up in my mouth a little.