What are your taxes paying for?
Cross referencing these different things in the article to other apps that exist was my first thought as these seem pretty generic and probably reused from somewhere else.
They likely did a search-and-replace on the brand name, so you had strings like 'your invoices from Home Quarantine inc' in the code.
Not a bad thing per se, getting the app out the door asap was definitely a priority in that project for understandable reasons, but funny nonetheless.
"Visit TrumpRx.gov"
But snark aside, the next elections will be decided around damage control. Yes, the old school dems are pretty spineless (corrupt) but i guess even they feel the temptation of revenge and taking out political opponents for good. I really hope the new generation of democrats succeeds and breaks the corruption ties.
We will need actual punishments for everyone who illegally defunded (or funded) programs, got us into the Iran invasion, embezzled and lined their pockets with corruption etc etc etc.
For those concerned or curious about location data collection, we wrote an explanation of how it works: https://onesignal.com/blog/youre-in-control-how-location-act...
You’ll sell it if you sell your company (as per your privacy policy).[1]
We may disclose or transfer your personal information in connection with, or during negotiations of, any acquisition of our business, financing or similar transaction.
If you wouldn’t sell it, period, then I’d suggest amending your privacy policy to include irrevocable deletion of customer data at the point your company is sold to a buyer.
Found 1 list exactly matching 'onesignal.com':
- https://dbl.ipfire.org/lists/ads/domains.txt
block list
added: 2026-02-13 15:00:20
last modified: 2026-02-13 15:00:20
last updated: 2026-03-29 04:02:16 (126.625 domains)
enabled, used in 1 group
comment: "IPFire Advertising"
matching entries:
- onesignal.comThis is actually the correct mitigation. Without ACCESS_FINE_LOCATION and ACCESS_COARSE_LOCATION in the manifest, the Android runtime will reject any location request at the OS level, even if the Java code calls FusedLocationProviderClient.requestLocationUpdates(). The three-gate analysis in the article is technically accurate but buries the lede: gate #2 (runtime permission) is impossible to pass because the permission isn't declared, making the entire pipeline dead code at the OS enforcement layer.
This is a broader issue with how React Native SDKs are packaged - they ship as monolithic native modules rather than fine-grained feature modules. OneSignal, Firebase, and most analytics SDKs all do this. The Expo ecosystem has been discussing native code tree-shaking for years but it's genuinely hard when you're wrapping pre-compiled Android libraries. The withStripPermissions approach is the standard workaround and is functionally equivalent to removing the code, since Android's permission model is the actual enforcement boundary.
Firefox 148.0.2 (Build #2016148295), 15542f265e9eb232f80e52c0966300225d0b1cb7 GV: 148.0.2-20260309125808 AS: 148.0.1 OS: Android 14
Imagine being in a cafe nearby, say, embassy of the certain north African country known for pervasive and wide espionage actions, which decides to hijack traffic in this cafe.
Or imagine living in the country where almost all of the cabinet is literally (officially) being paid by the propaganda/lobbying body of such country.
Or living int he country where lawful surveillance can happen without the jury signoff, but at a while of any police officer.
Maybe its not common but frequent enough.
How would they get your phone to trust their CA? Connecting to a Wi-Fi network doesn’t change which CAs a device trusts.
https://www.eff.org/deeplinks/2011/08/iranian-man-middle-att...
https://support.apple.com/en-us/126047
The chances of zero of these CAs having been compromised by state-level actors seems… slim.
Do you trust "Hongkong Post Root CA 3" not to fuck with things?
Your link's from 2011; the US government was still in the trusted list until 2018. https://www.idmanagement.gov/implement/announcements/04_appl...
These are monitored, things do get noticed[0], and things like this can and have lead to CAs being distrusted.
It's not foolproof, and it's reactive rather than proactive... but in general, this is unlikely to be happening on major sites or at any significant scale.
I'd wholeheartedly recommend people taking some time and reading through the CA Compliance issues on Bugzilla. The entire CA program there, in my opinion, does a fantastic and largely thankless job of keeping this whole thing on the rails. It's one of the few things I can say I had _more_ trust in the more I looked into it.
China telecom regularly has BGP announcements that conflict with level3's ASNs.
Just as a hint in case you want to dig more into the topic, RIR data is publicly available, so you can verify yourself who the offenders are.
Also check out the Geedge leaked source code, which also implements TLS overrides and inspection on a country scale. A lot of countries are customers of Geedge's tech stack, especially in the Middle East.
Just sayin' it's more common than you're willing to acknowledge.
Notice my wording above - fundamentally broken in multiple ways - by which I mean that there are clear and articulable flaws with the model. Nonetheless it's clearly quite functional in practice.
Interesting example: last year Cloudflare found out that a CA had been (incorrectly) issuing certs for 1.1.1.1. They only found out 1.5 years after the first cert had been issued. The CA didn't do it with malicious intent, and as far as I know they're still in business. https://blog.cloudflare.com/unauthorized-issuance-of-certifi...
The point of the logs as I understand it is to surface events involving official CAs after the fact.
And yes, it does break MITM use cases, for example on Chrome: https://httptoolkit.com/blog/chrome-android-certificate-tran...
I don't currently MITM my LAN but my general attitude is that if something won't accept my own root certificate from the store then it's broken, disrespecting my rights, and I want nothing to do with it. Trust decisions are up to me, not some third party.
The default should be to reject certificates which aren't being logged, and if you as a user or corporation have a reason to use private certificates, you just configure your computer to do that. Which fully protects against the risk of normal CAs signing fraudulent certificates.
If anything, one of many MDM purposes is to prevent orgas from enrolling rooted devices in their fleet.
Reader mode was the only thing that made it readable.
So at least it does something actually beneficial for the user! I wish it could go even further, the way Reader Mode in a browser would go.
I was promised a meritocracy and non stop winning. When do those begin?
Giving people a taste of web with Ublock Origin annoyance filters applied, refreshing. Can’t believe orange man regime is doing one thing right.
And the location… well, if one day they need you, they’ll sure be glad they know your each steps and current location .
It’s not a bug, it’s a feature.
Doesn’t seem too crazy for a generic react native app but of course coming from the official US government, it’s pretty wide open to supply chain attacks. Oh and no one should be continually giving the government their location. Pretty crazy that the official government is injecting JavaScript into web views to override the cookie banners and consent forms - it is often part of providing legal consent to the website TOS. But legal consent is not their strong suit I guess.
I'm not an attorney, but I don't find any cases that extend beyond that.
I'm quite sure that's illegal.
I'm not sure. If there is an attorney to answer that would be interesting.
I wouldn't run a non-free government app on my phone, but this seems a positive. It's basically what uBlock does.
Rare Trump administration W. I'm assuming there's one particular website they open in the app that shows a cookie popup, and this was a dev's heavy-handed way of making that go away.
In their defense, this is the first thing the Trump admin has done that's unambiguously positive for ordinary people.
I'd love it somehow taken out of it and made available for the general public. Custom uBlock / Adblock filers will be probably the easiest.
Let me know when this can ignore malware/adware from US companies then I'll give accolades.
I’d prefer they not release shoddily build propaganda apps
Did you find something malicious in the random GitHub repo? If so, you should write an article about that instead.
https://www.encryptionconsulting.com/top-10-supply-chain-att...
Are you aware that common libraries like Bootstrap, FontAwesome, and HTMX walk developers through linking to their CDNs directly? In fact, FontAwesome recommends it for CDN performance.
I think you're dangerously mistaken if you believe that it "literally never" happens. It literally does happen all the damned time. And, for your own safety and others', you should assume that when you use any app for which you don't have the source code.
There's also a difference between using a CDN for, say, React and a random github project hosted by some dude.
Imagine they're downloading a project directly from your GitHub account. Even if you're not doing anything malicious and have no intention of doing anything malicious even after you've been aware of this, now all of a sudden your GitHub account / email is a huge target for anyone that wants to do something malicious.
Boostrap (code snippet from their quick start instructions): ``` <head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <title>Bootstrap demo</title> <link href="https://cdn.jsdelivr.net/npm/bootstrap@5.3.8/dist/css/bootst..." rel="stylesheet" integrity="sha384-sRIl4kxILFvY47J16cr9ZwB07vP4J8+LH7qKQnuqkuIAvNWLzeN8tE5YBujZqJLB" crossorigin="anonymous"> </head>
<script src="https://cdn.jsdelivr.net/npm/@popperjs/core@2.11.8/dist/umd/..." integrity="sha384-I7E8VVD/ismYTF4hNIPjVp/Zjvgyol6VFvRkX/vR+Vc4jQkC+hVqc2pM8ODewa9r" crossorigin="anonymous"></script> <script src="https://cdn.jsdelivr.net/npm/bootstrap@5.3.8/dist/js/bootstr..." integrity="sha... ```
Pay close attention, they are inviting the new developer to link not just to Bootstrap, but to Popper!
HTMX (code snippet from their quick start guide): ``` <script src="https://cdn.jsdelivr.net/npm/htmx.org@2.0.8/dist/htmx.min.js"></script> <!-- have a button POST a click via AJAX --> <button hx-post="/clicked" hx-swap="outerHTML"> Click Me </button> ```
Fontawesome: A video quick start guide and instructions that recommends using the direct link to the kits via CDN for performance!
Look, I certainly don't think they should be used this way. But, to say that it's unique to the White House app? I definitely wouldn't say that. In fact, I think you've dangerously overestimated the status quo.
I'd bet something like 70+% of all JS apps are inadequately protected against the risk of a malicious actor gaining access to a dependency's repo.
Pearlclutching over this while ignoring the lessons of `left-pad` and `colors` is biased motivated reasoning at best.
You don't do this in any non-trivial system.
So, it's nice that you don't do this. But there's nothing special about the White House app doing it. It's very common.
there are several corpo open source ai apps that have rce built in.
to cut a long story short they pull their config from the developer's server on startup. that config has user level permissions giving rce.
some have no rce but get remote executed exfiltration of all the prompts. the app pulls its posthog config on startup and can just take all the keyboard inputs.
submit a disclosure and they do nothing or accuse of 'ai slop reports' despite being vibe coded themselves
I'm well aware of supply chain attacks. But this isn't a supply chain attack. If it were, the article would be way more interesting.
The supply chain attack articles are interesting exactly because this is so common. So what's special here other than it being loosely related to a disliked political figure? HN isn't supposed to be an especially political website.
"A common app is doing the same thing that basically every other app is doing."
Is that a good headline? No. And this isn't a good article.
It's an article that includes coverage of the exposure to supply chain attacks, mainly via directly linking in https://lonelycpp.github.io/react-native-youtube-iframe/ifra.... You seem to be flippantly dismissing this as insignificant given the people who are probably running this app.
> HN isn't supposed to be an especially political website.
Yes but when technology and politics cross paths...
If you enjoy reading about how a guy smelled another guy's underpants and discovered that they smell like everyone else's, then rest assured, you can continue reading it over and over again if you like. I'm not able to down vote, so your enjoyment is safe from my opinion.
If he finds something interesting in there (I hope he does), and writes another article I might miss it, unfortunately, because I've written him off as a trash piece author.
EDIT: I went to use this as an example. Hilarious, this blog now has a bad SSL cert, just to put the icing on the cake.
The DoD has been hacked countless times, by children even. I wouldn't doubt if we decompiled most government apps we'd find this same vector in many of them.
It seems like this vector is only recently a hot topic. And decades of doing things wrong won't be patched and habits broken in short time. It will take a few years to get the majority of it, and decades after that to get the next majority, and so on.
This is bad for security.
To mix the metaphors further, they (the politicians and their supporters) fancy themselves the kind to dream of things that never were and ask why not. Why not have a war in Iran? You won't know until you give it a try.
A random person with pronouns, no less. That means the code is “woke.”
I guess there’s some workplaces where it’d be useful for me to update these, probably the ones Apple PMs work in.
In the US, the faction in power right now is attacking perceived symbols of "woke" ideology, and one of them is the use of pronouns.
As I understand it, some government agencies are even forbidding the use of pronouns in e-mail signatures etc. So it struck me as ironic that a software component with pronouns would have evaded their notice.
I have no problem with the use of pronouns.
Inferring pronouns has always been dumb and annoying. Many names don't have obvious pronouns, for example, the name "Taylor". Is that he or she? And clicking the little profile icon and squinting to see if someone is a man or a woman is also a waste of time. It's a lot easier for everyone if it just tells you the pronoun.
It's not that hard to just avoid it. I send emails to a lot of people I haven't spoken to and don't know their gender, so I write gender-neutral emails.
In the 1970s and 1980s it was the default in many Commonwealth locales to not assume that (say) Rob Owens writing mathematics and engineering papers was male (as it turns out, she isn't, the Rob is short for Robyn).
So much correspondence was with people who had Initial Surname or abstract handles that didn't broadcast gender.
I guess I'm just not really understanding people getting upset at what I perceive to be completely made up problems. We have technology, we no longer have to assume gender neutral pronouns for everyone. They can just tell us the pronouns they want.
I am sure if you decompile other apps used by hundreds of thousands of people, you would find all sorts of tracking in there.
Thanks for helping the White House improve their app security for free though.
You load arbitrary JS from a random GitHub user's NPM package. What's the difference?
You'd be surprised how many apps inside have hacks and workarounds because deadlines.
I always joke that we could probably tell you what color and type your underwear is on any random day with how much data is siphoned off your phone.
As for loading random JS, yeah also seen that done that before. "Partner A wants to integrate their SDK in our webviews." -> "Partner A" SDK is just loading a JS chunk in that can do whatever they want in webviews, including load more files.
Don't get me started on the sports betting SDKs...
Though we do have a Security team constantly scanning SDKs and the endpoints for changes in situations like this.
Partner A is not random JS. The assumption there is 1) you have some official signed agreement with them and 2) you've done your due diligence to ensure you can use them in this way.
It's not just some person's GH repo who can freely change that file to whatever they want.
Hotlinking is as old as the internet, and a well-worn security threat.
Since when is the government a slick and efficiently run outfit that produces secure and well-done software products? Does no one remember the original Obamacare launch?
It’s hard to imagine a smug article like this dissecting a product of some other administration. There’s something very weird and off about stuff like this.
Injects JavaScript into every website you open through its in-app browser to hide cookie consent dialogs, GDPR banners, login walls, signup walls, upsell prompts, and paywalls.
Has a full GPS tracking pipeline compiled in that polls every 4.5 minutes in the foreground and 9.5 minutes in the background, syncing lat/lng/accuracy/timestamp to OneSignal's servers.
Loads JavaScript from a random person's GitHub Pages site (lonelycpp.github.io) for YouTube embeds. If that account is compromised, arbitrary code runs in the app's WebView.
Loads third-party JavaScript from Elfsight (elfsightcdn.com/platform.js) for social media widgets, with no sandboxing.
Sends email addresses to Mailchimp, images are served from Uploadcare, and a Truth Social embed is hardcoded with static CDN URLs. None of this is government infrastructure.
Has no certificate pinning. Standard Android trust management.
Ships with dev artifacts in production. A localhost URL, a developer IP (10.4.4.109), the Expo dev client, and an exported Compose PreviewActivity.
Profiles users extensively through OneSignal - tags, SMS numbers, cross-device aliases, outcome tracking, notification interaction logging, in-app message click tracking, and full user state observation.
Did the other administration put a "fake news" and "report to ICE" and grifting link to their own social network in their apps? I feel like you are perhaps papering over a whole lot of general shittiness of this app that didn't exist in less amateur previous administrations that at least tried to follow the norms.
The only case they cite of an actual intervention resulting seems... entirely legit?
> An adult entertainment club lost its liquor license after a dancer and others were seen not wearing masks, the state said.
People call 911 for goofy things, too.
Also I'd say the federal government's approach to ICE deportations is a little stronger than even the COVID measures.
Wasn't that written by a private company? Canadian, IIRC.
Yes, that's because this administration is uniquely awful. Basically every single thing this administration does is bad. Often so bad that it's legitimately impressive just how incompetent our leaders our.
Obviously previous administrations were not perfect, but to sit here and pretend that they are on the same level is delusion.
I've noticed Claude Code is happy to decompile APKs for you but isn't very good at doing reachability analysis or figuring out complex control flows. It will treat completely dead code as important as a commonly invoked function.
I'd verify all this stuff for myself, but Play won't install it in my phone so I can't really get the APK. Maybe because I use Graphene...? but I don't know all the ways they can restrict it, maybe it's something else (though for a pixel 9a it's rather strange if it's hardware based).
--- EDIT ---
To be specific / add what I can check, this is what my Play Store "about -> permissions" is showing:
which appears fairly normal, and does not include location, and I think Play includes runtime location requests there. Maybe there's a version-rollout happening, or device-type targeting?The app doesn't work
Is there something in particular that made you conclude that or are you going just with how it felt?
For what it's worth, it didn't seem to me.
As someone who likes to use a lot of em dashes in writing -- the 'heuristics' that AI 'hunters' like to use need a lot of further refinement before I would trust them with anything. And yet there are legions of anti-AI crusaders out there wielding them like weapons.
These folks are reinforcing a bias against all kinds of people, particularly those who are not native English speakers and were very likely taught 'globalized' English in their language training.
us humans, even if kinda trash at many things, are pretty rad at pattern recognition.
Personally I really like it for "load-bearing assumptions". Because it let's you work with assumptions whilst pointing out the potential issues of that assumption.
So, no. Not a "hallucination".
[0] https://documentation.onesignal.com/docs/en/location-opt-in-...
That appears to be about providing a message to the user before requesting permissions.
However, it appears even permissions you allow your app to request still need to be declared beforehand? https://developer.android.com/training/permissions/requestin...
Regardless, people are reporting mixed info on whether the app declares location access: https://news.ycombinator.com/item?id=47557010
https://imgur.com/a/SNJL4XO
There's no explicit rules against it, but I cannot stand this type of sarcastic im anti-everyone-else commentary. Super reddit-coded, and you could have made your point without it. There's a lot of discussion to have about that point actually, but I'm pretty sure we've all been collectively scrolling long enough to just kind of roll our eyes at this stuff.
I read through it. I get some AI vibes. Probably a little bit of both.
The article does not claim the app requests the location. It claims it can do it with a single JS call.
How would you have written it differently
This data has well-known limitations, but I think it is the fallback people are talking about here.
so can ... any other code anywhere on a mobile device? That is how API work...
From the (limited) article, it doesn't seem they do this: https://thereallo.dev/blog/decompiling-the-white-house-app#p...
----
EDIT: I'm mistaken. From the Play Store[0] it has access to
* approximate location (network-based)
* precise location (GPS and network-based)
[0] https://play.google.com/store/apps/details?id=gov.whitehouse...
This seems to disagree with:
> The location permissions aren't declared in the AndroidManifest but requested at runtime
*shrug*, someone should dig deeper. It looks like the article may not match reality.
The Play Store doesn't show these permissions when viewed on my Pixel 9 Pro, and the APK doesn't have these permissions when downloaded/extracted.
from the iphone app store: version 47.0.1 - minor bug fixes - 34 minutes ago
while the parent posted 18 minutes ago
they may have patched the location stuff as part of the “minor bug fixes”?
No location permission request prompting encountered. In system settings, where each app requesting location data is listed, it isn't present either.
So it could come across a manifest that includes location permissions and some code that would (if enabled) send location, but it might do a bad job properly tracing
Ad-HomineLLM is a logical fallacy IMO and adds little value. I would hope eventually HN and other sites add this to the guidelines similar to other claims like vote manipulation etc.
HN doesn’t have guidelines against anti-LLM rhetoric, but it does for LLM-generated comments.
> Don't post generated comments or AI-edited comments. HN is for conversation between humans.
https://news.ycombinator.com/newsguidelines.html#generated
Also, the comment you responded to was criticizing the attack to the substance of the post based on who/what wrote is. The comment neologism actually fits, IMO.