I decompiled the White House's new app

A security researcher has decompiled the official White House app, revealing significant privacy and ethical concerns. The app, built by an entity called 'forty-five-press' using React Native (Expo SDK 54) and a WordPress backend, functions as a content portal for news and administration initiatives. However, its in-app WebView is programmed to inject a custom JavaScript snippet into every loaded webpage. This code actively seeks and hides common user interface elements like GDPR consent dialogs, cookie banners, OneTrust popups, login walls, and paywall prompts, effectively bypassing the consent and monetization frameworks of third-party websites.

Further analysis uncovered a contradiction in its location data handling. The app's Expo configuration includes a plugin named 'withNoLocation,' suggesting location tracking is disabled. Despite this, the compiled Android APK contains the full OneSignal SDK location tracking code. This system is designed to request precise location data at intervals of 4.5 and 9.5 minutes, but only activates if three conditions are met: a JavaScript-controlled flag is set to true, the user grants foreground location permission at runtime, and location services are enabled on the device. The presence of this code, coupled with the JavaScript-based toggle, means the capability for detailed location tracking is built into an official government application.