Security researcher tears apart White House app and finds a tracking and security nightmare

A security researcher who decompiled the White House's new mobile app says it contains hidden GPS-tracking capabilities, weak security protections, and code loaded from an outside GitHub page, raising serious questions about privacy and cybersecurity.

And it gets even stranger. Apparently, the app is loading JavaScript from a random person's GitHub site for YouTube embeds. Yes, you read that right, it's just loading JavaScript from a random GitHub site. So if that account ever gets compromised, arbitrary code could run inside the app's WebView.

There's also no SSL certificate pinning, meaning that traffic can potentially be intercepted on compromised networks like sketchy public WiFi or corporate proxies.

The app also injects JavaScript and CSS into every page you visit in the in-app browser. This strips away cookie consent dialogs, GDPR banners, login walls, and paywalls. There's also leftover dev artifacts in the production build, including a localhost URL to the Metro bundler.

To put it plainly, this app is a security nightmare, and no one should have installed it, no matter what your political beliefs are.Android Headlines

Between the background location polling, missing SSL protections, and injected browser scripts, critics say the app reads less like official government software and more like a "what not to do" cybersecurity workshop demo.

Previously:
• White House turns Easter Egg Roll into ad space for corporations