White House App Is a Terrifying Security Mess

Source: Slashdot

Overview

New submitter spazmonkey reports that the new White House app contains numerous security and privacy issues, ranging from continuous GPS tracking to insecure handling of web content.

Technical Details

• Framework: The app is built with React Native using Expo SDK 54, and its backend is powered by WordPress via a custom REST API.
• GPS Tracking:
  • The app polls the device’s location every 4.5 minutes while in the foreground and every 9.5 minutes in the background.
  • It sends latitude, longitude, accuracy, and timestamp data to OneSignal’s servers.
  • These location permissions are not declared in the AndroidManifest; they are hard‑coded as runtime requests in the OneSignal SDK.
• External JavaScript: The app loads JavaScript from a random GitHub account for YouTube embeds. If that account is compromised, arbitrary code could execute inside the app’s WebView.
• SSL Certificate Pinning: No pinning is implemented, leaving traffic vulnerable to interception on public Wi‑Fi, corporate proxies, or other compromised networks.
• In‑App Browser Manipulation: The app injects JavaScript and CSS into every page opened in its in‑app browser, stripping:
  • Cookie‑consent dialogs
  • GDPR banners
  • Login walls
  • Paywalls
• Development Artifacts: The production build contains leftover development references, such as a localhost URL pointing to the Metro bundler.

Privacy Concerns

• Continuous location polling can reveal users’ movements and habits.
• Lack of manifest declarations means users may be unaware that the app requests location data.
• Loading external scripts from an uncontrolled source introduces a risk of malicious code execution.
• Stripping consent dialogs and paywalls may violate privacy regulations and undermine user choices.

Sources

• Android Headlines: “White House app is a terrifying security mess” – [link]
• Slashdot: Read more of this story at Slashdot – [link] (replace with actual URLs if available)