> Is it what you'd expect from an official government app? Probably not either.
Since when is the government a slick and efficiently run outfit that produces secure and well-done software products? Does no one remember the original Obamacare launch?
It’s hard to imagine a smug article like this dissecting a product of some other administration. There’s something very weird and off about stuff like this.
show comments
iancarroll
A bit skeptical of how this article is written as it seems to be mostly written by AI. Out of curiosity, I downloaded the app and it doesn't request location permissions anywhere, despite the claims in the article.
I've noticed Claude Code is happy to decompile APKs for you but isn't very good at doing reachability analysis or figuring out complex control flows. It will treat completely dead code as important as a commonly invoked function.
show comments
SoftTalker
Looks like what you might expect in a standard marketing app from a consultancy. They probably hired someone to develop it, that shop used their standard app architecure which includes location tracking code and the other stuff.
show comments
somehnguy
Interesting. The site is nearly unusable to me unfortunately. '19 MBP w/ Chrome - scrolling stutters really bad
show comments
r4indeer
The argument regarding no certificate pinning seems to miss that just because I might be on a network that MITM's TLS traffic doesn't mean my device trusts the random CA used by the proxy. I'd just get a TLS error, right?
show comments
sitzkrieg
i assumed it was malware out the gate. yep
nine_k
> An official United States government app is injecting CSS and JavaScript into third-party websites to strip away their cookie consent dialogs, GDPR banners, login gates, and paywalls.
So at least it does something actually beneficial for the user! I wish it could go even further, the way Reader Mode in a browser would go.
ranzhh
Are those references to 45 and 47 "Easter Eggs" to Trump's presidency number(s)? As in, forty-five-press (45th president) and Version 47.x.x (47th president), as well as the text message hotline (45470).
vineyardmike
> The official White House Android app has a cookie/paywall bypass injector, tracks your GPS every 4.5 minutes (9.5m when in background), and loads JavaScript from some guy's GitHub Pages (“lonelycpp” is acct, loads iframe viewer page).
Doesn’t seem too crazy for a generic react native app but of course coming from the official US government, it’s pretty wide open to supply chain attacks. Oh and no one should be continually giving the government their location. Pretty crazy that the official government is injecting JavaScript into web views to override the cookie banners and consent forms - it is often part of providing legal consent to the website TOS. But legal consent is not their strong suit I guess.
show comments
Arainach
"An official United States government app is injecting CSS and JavaScript into third-party websites to strip away their cookie consent dialogs, GDPR banners, login gates, and paywalls."
In their defense, this is the first thing the Trump admin has done that's unambiguously positive for ordinary people.
show comments
analog31
>>> This is a government app loading code from a random person's GitHub Pages.
A random person with pronouns, no less. That means the code is “woke.”
show comments
oefrha
> An official United States government app is injecting CSS and JavaScript into third-party websites to strip away their cookie consent dialogs, GDPR banners, login gates, and paywalls.
Giving people a taste of web with Ublock Origin annoyance filters applied, refreshing. Can’t believe orange man regime is doing one thing right.
replwoacause
lol honestly all of this tracks given the current administration. i'm actually surprised it isn't worse. but yeah, amateur hour for sure.
show comments
post-it
> An official United States government app is injecting CSS and JavaScript into third-party websites to strip away their cookie consent dialogs, GDPR banners, login gates, and paywalls.
Rare Trump administration W. I'm assuming there's one particular website they open in the app that shows a cookie popup, and this was a dev's heavy-handed way of making that go away.
trimethylpurine
I don't see what the fuss is about. This all looks pretty standard. I use random people's stuff all the time. Isn't that the point of open source?
Did you find something malicious in the random GitHub repo? If so, you should write an article about that instead.
show comments
crimshawz
you are a fucking genius
ThaFresh
nice work, so they can get your location and have ICE scoop you up if required
andix
I would've expected worse. :)
jruz
Is this a surprise to anyone?
colesantiago
This is a pretty standard decomplation of an Android app.
I am sure if you decompile other apps used by hundreds of thousands of people, you would find all sorts of tracking in there.
Thanks for helping the White House improve their app security for free though.
show comments
longislandguido
The comments in here are pretty rich. If this was any other app, everyone would be screaming about "why are you being mean to the author", flagging posts left and right.
> Is it what you'd expect from an official government app? Probably not either.
Since when is the government a slick and efficiently run outfit that produces secure and well-done software products? Does no one remember the original Obamacare launch?
It’s hard to imagine a smug article like this dissecting a product of some other administration. There’s something very weird and off about stuff like this.
A bit skeptical of how this article is written as it seems to be mostly written by AI. Out of curiosity, I downloaded the app and it doesn't request location permissions anywhere, despite the claims in the article.
I've noticed Claude Code is happy to decompile APKs for you but isn't very good at doing reachability analysis or figuring out complex control flows. It will treat completely dead code as important as a commonly invoked function.
Looks like what you might expect in a standard marketing app from a consultancy. They probably hired someone to develop it, that shop used their standard app architecure which includes location tracking code and the other stuff.
Interesting. The site is nearly unusable to me unfortunately. '19 MBP w/ Chrome - scrolling stutters really bad
The argument regarding no certificate pinning seems to miss that just because I might be on a network that MITM's TLS traffic doesn't mean my device trusts the random CA used by the proxy. I'd just get a TLS error, right?
i assumed it was malware out the gate. yep
> An official United States government app is injecting CSS and JavaScript into third-party websites to strip away their cookie consent dialogs, GDPR banners, login gates, and paywalls.
So at least it does something actually beneficial for the user! I wish it could go even further, the way Reader Mode in a browser would go.
Are those references to 45 and 47 "Easter Eggs" to Trump's presidency number(s)? As in, forty-five-press (45th president) and Version 47.x.x (47th president), as well as the text message hotline (45470).
> The official White House Android app has a cookie/paywall bypass injector, tracks your GPS every 4.5 minutes (9.5m when in background), and loads JavaScript from some guy's GitHub Pages (“lonelycpp” is acct, loads iframe viewer page).
Doesn’t seem too crazy for a generic react native app but of course coming from the official US government, it’s pretty wide open to supply chain attacks. Oh and no one should be continually giving the government their location. Pretty crazy that the official government is injecting JavaScript into web views to override the cookie banners and consent forms - it is often part of providing legal consent to the website TOS. But legal consent is not their strong suit I guess.
"An official United States government app is injecting CSS and JavaScript into third-party websites to strip away their cookie consent dialogs, GDPR banners, login gates, and paywalls."
In their defense, this is the first thing the Trump admin has done that's unambiguously positive for ordinary people.
>>> This is a government app loading code from a random person's GitHub Pages.
A random person with pronouns, no less. That means the code is “woke.”
> An official United States government app is injecting CSS and JavaScript into third-party websites to strip away their cookie consent dialogs, GDPR banners, login gates, and paywalls.
Giving people a taste of web with Ublock Origin annoyance filters applied, refreshing. Can’t believe orange man regime is doing one thing right.
lol honestly all of this tracks given the current administration. i'm actually surprised it isn't worse. but yeah, amateur hour for sure.
> An official United States government app is injecting CSS and JavaScript into third-party websites to strip away their cookie consent dialogs, GDPR banners, login gates, and paywalls.
Rare Trump administration W. I'm assuming there's one particular website they open in the app that shows a cookie popup, and this was a dev's heavy-handed way of making that go away.
I don't see what the fuss is about. This all looks pretty standard. I use random people's stuff all the time. Isn't that the point of open source?
Did you find something malicious in the random GitHub repo? If so, you should write an article about that instead.
you are a fucking genius
nice work, so they can get your location and have ICE scoop you up if required
I would've expected worse. :)
Is this a surprise to anyone?
This is a pretty standard decomplation of an Android app.
I am sure if you decompile other apps used by hundreds of thousands of people, you would find all sorts of tracking in there.
Thanks for helping the White House improve their app security for free though.
The comments in here are pretty rich. If this was any other app, everyone would be screaming about "why are you being mean to the author", flagging posts left and right.