White House app security issues - Historico da BBS TELESC.NET.BR

BBS:      TELESC.NET.BR
Assunto:  White House app security issues
De:       Mike Powell
Data:     Thu, 7 May 2026 09:13:58 -0500
-----------------------------------------------------------
Researcher reveals official White House app is one command away from tracking 
your precise location every 4.5 minutes  app can also inject code to dodge 
cookie consent, GDPR banners, and paywalls

Date:
Wed, 06 May 2026 17:25:00 +0000

Description:
White House app contains code to hide cookie options, GDPR banners, and 
paywalls - and collects extensive user data

FULL STORY
A security researcher has decompiled the new
official White House app for Android that was released in March 2026, and has 
found some concerning features hidden inside. 

Web developer Thereallo analyzed the apps APK in a blog post and found it is 
capable of injecting code into third-party websites to hide cookie consent 
popups, GDPR banners, paywalls, and more. It can also track your accurate GPS 
location every 4.5 minutes, pulls code from unsecured non-government 
infrastructure, and provides highly invasive profiling of every user.  When
the White House released the new app, it said it offers Americans a direct 
line to the White House, but it looks more likely that the reverse is true. 

Hidden inside the WebView used for opening external websites is a JavaScript 
snippet that has the ability to hide some fairly vital information typically 
displayed when you visit a website. 

An official United States government app is injecting CSS and JavaScript into 
third-party websites to strip away their cookie consent dialogs, GDPR 
banners, login gates, and paywalls, Thereallo explained. 

Blocking these core website functions means that users subject to GDPR or 
state-level privacy laws cannot exercise their legal right to opt-out of 
tracking. Furthermore, by circumventing paywalls, the US government is 
providing users with the ability to access content that is typically 
protected with a paywall.

The Google Play Store listing states that the app can request 
approximate and precise location data, with Thereallo noting that the app 
requests location permission at runtime, and that the app contains an Expo 
plugin intended to strip location tracking. But the app instead relies on 
OneSignal SDKs location tracking code. 

The app can therefore collect accurate location tracking information every 
4.5 minutes when the app is active, and every 9.5 minutes when the app is 
running in the background. While this tracking isnt active by default, the 
entire process can be activated with a single command. 

As Thereallo notes, the infrastructure is there, ready to go, and the JS API 
to enable it is referenced in the bundle. So while the app may not 
necessarily be tracking you today, it has the potential to be activated at 
any point in the future.

OneSignal is also used to collect profiling data on every user. Your 
location, your notification interactions, your in-app message clicks, your 
phone number if you provide it, your tags, your state changes. All going to 
OneSignal's servers, Thereallo notes. 

Additionally, the app also relies on code from a random GitHub account to 
embed YouTube videos. Thereallo points out that if this account is ever 
compromised, the perpetrator could serve arbitrary HTML and JavaScript to 
every user of this app. 

The app also loads third-party code without adequate security infrastructure, 
sends your data to non-governmental infrastructure, and has no certificate 
pinning. 

Is any of this illegal? Probably not. Is it what you'd expect from an 
official government app? Probably not either, Thereallo concludes. 

An app advertised as a one-stop-shop for news and media direct from the White 
House is instead functioning as a highly granular user profiling, tracking 
and marketing tool. It is important to note that Thereallos analysis was 
conducted immediately after the apps release, and therefore features may have 
been modified, added or removed. 

TechRadar Pro reached out to the White House for comment, but did not 
immediately receive a response.

Link to news story:
https://www.techradar.com/pro/security/researcher-reveals-official-white-house
-app-is-one-command-away-from-tracking-your-precise-location-every-4-5-minutes
-app-can-also-inject-code-to-dodge-cookie-consent-gdpr-banners-and-paywalls

$$
--- MultiMail/DOS
 * Origin: Capitol City Hub (1:2320/105)

-----------------------------------------------------------
[Voltar]