BeepI Decompiled the White House's New App— The app has a cookie/paywall bypass injector, tracks your GPS every 4.5 minutes, and loads JavaScript from some guy's GitHub Pages.
mr_annyI can’t say anything about the content of this blog. It was horribly laggy to scroll on mobile device. And by horribly laggy, I mean like aunt’s 1986 vacation slide show on a projector while having dry cookies and tasteless off brand earl grey.
I’m sorry if it sounds rude but I had to bring this on out in the open. What even runs under the hood on that blog…
Holy shit, i thought i was gonna have a seizure first time i scrolled
Like its locked to 10fps
Snot FlickermanIt’s a bit funny that it’s completely at odds with how they describe their goals (emphasis mine):
I am thereallo, a web developer who makes things look pretty and work smoothly >w< been building stuff since 2020, mostly frontend but i can do fullstack too! i use react, next.js, and tailwind css because they just work, and motion for animations that don’t feel plastic. i prototype in figma, steal components from shadcn/ui when i’m lazy, and deploy to vercel or cloudflare depending on the vibe~ i used to reverse engineer games (genshin leaks era lol) but now i just make websites that don’t suck. i know typescript, python, go, and dabbled in rust and lua. my goal is making ui that feels human such as smooth feedback, clear buttons, keyboard accessible, no confusing bs. mobile first always! outside coding i listen to vocaloid and play project sekai, which definitely influences my color choices uwu. oh and i care way too much about bundle sizes and performance. currently learning native ios/android development. hmu on discord or github if u wanna chat! ♡
nawaYea for me too, it appears to be something we the title header following your scroll. It’s super smooth just until it tries to pin it to the top.
Reader mode works until I realised that they did explain the pictures, so just referenced text I didn’t see.
Not a performance problem. My guess is, they (poorly) emulate native scrolling via JS on mobile. Probably for some progress feature or something.
Unfortunately all of the code blocks are loaded after-the-fact with JS for some asinine reason (highlighting I’d understand… but why the actual text?), so disabling JS also disables all the code snippets on the page.
That’s why dynamic loading sucks.
alakeyEven if the effect didn’t lag, there’s almost no added benefit to it. The title is cut off, and the description is even worse.
If the author wanted to, they could have done something like this with no scripts, minimum effort, and probably zero lag.
(If OP’s website chucked for you, I’m curious whether this demo is seamlessly smooth. It is for me.)
I had no issues, and I am on a cheap boomer phone that installs games without permission every so often.
Btw, this site has no business doing (laggy) scrolling via JS. Scrolling is my job, not yours.
AI vibe coded slop.
Katherine 🪴Anyone have any idea who the devs are? According to the owner tag in the code, it’s: https://devfortyfive.com/ but there’s no information on the people behind it.
Most transparent administration! /s
Yeah, having the real people behind it hidden is basically the norm for Trump admin.
Probably an openclaw server attached to Don Jr’s bank account.
Some guy in Utah, apparently. The company was registered on the 18th of March.
Via Utah Division of Corporations and Commercial Code Business Registration search which did not allow a direct link to individual results.
So…to be clear, this was formed just prior to the release of the app, and almost certainly the app was being developed by this person/group before then.
Sure would be good to know what public funds were used to pay for this app (I assume too much), and whether there was a bidding process (I assume there wasn’t), and whether this person is someone the decision-maker already had some relationship/connection to (I assume that was the case).
Because regardless of the public value of a tracking & propaganda window favoring one party (none), it would be completely shocking, just totally unheard of, if this was a corrupt overpayment and misuse of public funds to pay for substandard work.
I mean, we didn’t just see this happen with Noem or anything.
🌞 Alexander Daychilde 🌞Judging by the fact that tabs in the app go to webpages… seems like not much was probably spent in developing it.
Wispy2891So according to that, the company’s address (both physical and mailing) is of 3739 E Sandstone Way, Washington, UT, 84780-1952.
(from maps.app.goo.gl/q48YJf3XndfY5Ges8)
…yeah, honestly that’s about what I expected.
(from maps.app.goo.gl/q48YJf3XndfY5Ges8)
…yeah, honestly that’s about what I expected.
Probably actually 45 Press, they’ve been around a while
WordPress VIP Partner | DevOps, Custom Web Apps, & Front End Development Specialists - 45PRESS
45Press is a WordPress VIP partner specializing in DevOps, custom web apps, front-end development, and mobile app solutions. Discover expert solutions for your digital needs with our experienced team.
artyom
KairuByteLikely nothing illegal. Quite a bit of bad dev habits. Some concerning security fuck ups, including pulling in JavaScript from a server they don’t control. Injecting JavaScript to subvert cookie/gdpr/login/etc popups on third party sites.
Just generally bad things to do, especially in a government provided app.
RememberTheApollo_Just 3 down from this post in my feed.
I fell down a wild rabbit hole.
- Dev Forty Five LLC was created a week ago and lists Ty Nielson as the registered agent
- Ty Nielson is listed and at some point was described on LinkedIn as the Head of Engineering at Gemini (not the Google product) with location in St George, UT. Gemini lists an office in Ogden, UT on linkedin.
- His employment history says he started as a software engineer, but he may not be the head of engineering. I’m unsure if he lives in Utah at all. He did ask how to do authentication in a React Native app properly in stack overflow 7 months ago. Not a great sign.
- Gemini is a product of Blue Rocket, inc. and the primary address for both companies is listed as a thinkspace in Redmond, WA.
- Blue Rocket Inc. also has an office in Ogden Utah and one in West Palm Beach, Florida according to its linkedin - but withdrew their business registration in FL years ago
- A previous (?) head of product for Gemini and/or Blue Rocket is/was Ryan Petty, who was part of a Federal Commission on School Safety roundtable at the White House with Trump, and DeSantis made him the Chair of the Florida State Board of Education
- Jason Kap owns Blue Rocket inc. and was put on the board of Claritev last year, which is now a defendant in an antitrust lawsuit for conspiring with major health insurers to fix prices. The DoJ is currently siding against Claritev
- Jason Kap used to work at Microsoft, MS is also in Redmond WA.
- Kap may live or still have properties in Redmond WA, Belmont MA, Ogden Utah, and possibly others - through shell companies technically owned by his family, such as Player 85 LLC, for which he is an authorised agent
- Kap may have been an LDS bishop in Redmond during a case where the LDS leadership was accused of covering up child molestation by a former Microsoft employee, Buckland Darrell, who was sentenced again a few weeks ago
- According to floodlit there were victims in both Hartman Park Ward, Redmond and Sammamish Valley Washington.
- The registered agent listed for Blue Rocket and Gemini in WA is Kap’s wife, with a Redmond WA address matching the charity “Sammamish Trails Youth”.
I don’t think I’ll continue on. There’s clearly a lot going on here and it is not looking good.
Which begs the question of if the Trump admin will give up the app and allow it to be archived, considering it’s using the gov.whitehouse.app app id or if they’ll keep it and pretend to be the White House (in which case will Apple and Google step in and pull it from App Stores).
The user tracking is dodgy, yes but i can see it happening in any business where developers are clueless yes men.
As for pay wall countermesures I can see how some person in Trump org not being happy about the links in the app being pay walled and asked the dev to remove the popups which they did without question.
w3dd1eThe app uses standard Android TrustManager for SSL with no custom certificate pinning. If you’re on a network with a compromised CA (corporate proxies, public wifi with MITM, etc.), traffic between the app and its backends can be intercepted and read.
That doesn’t seem right. You would still need the compromised CA cert to be installed on your device. This isn’t going to be a problem when connecting to a public Wifi.
The rest of the article is bonkers, though. Classic corporate data-grab app, and then some.
Ten years ago when businesses really needed to offer wifi (train for example) they thought “hey we would like to have something in return!”. I got offered a new ca a couple of times in the captive portal.
Yeah, not best practice but not unheard of.