Peter M.J. Gross4d ago
Liam Proven

I Decompiled the White House's New App

https://blog.thereallo.dev/blog/decompiling-the-white-house-app

The official White House Android app has a cookie/paywall bypass injector, tracks your GPS every 4.5 minutes, and loads JavaScript from some guy's GitHub Pages.

(By "thereallo" -- https://thereallo.dev/?explore=about )

I Decompiled the White House's New App

The official White House Android app has a cookie/paywall bypass injector, tracks your GPS every 4.5 minutes, and loads JavaScript from some guy's GitHub Pages.

Thereallo
Mar 31 at 11:22amWeb
Show threadAdam Pigg3d ago
@lproven youre not surprised though eh!
Show threadLiam Proven3d ago

@piggz I just shared the blog post. This is not my work.

But no, I'm not at all surprised. 😉

Show threadAdam Pigg3d ago
@lproven I got the first bit :)
Show threadShnoofleBear /ʃnuːfɛlbɛːr/3d ago
@lproven That guy on github has the opportunity to do something really funny.
Show threadmisterdubs3d ago

@[email protected] @[email protected]

Thank you for this breakdown of the app.

This is a government app loading code from a random person's GitHub Pages


It is eye-opening just how much trust we place in apps.

Liam Proven (@[email protected])

9.67K Posts, 512 Following, 1.89K Followers · Tall, once dark, black-clad atheist skeptic SF fan; writes (mostly about computers) for a living. Grizzled internet veteran, online since 1985. Current primary email is from 1991. All opinions expressed are my own & not those of any employer.

Vivaldi Social
Show threadLiam Proven3d ago
@misterdubs @senchawizard I just shared the blog post. This was not me or my work.
Show thread2something3d ago
@lproven Why 4.5 minutes (or 9.5 minutes for the background update time)? That seems like such a weird choice of time interval for them to pull out of their assess.
Show threadLiam Proven3d ago

@2something I have no idea.

I posted this link, that's all. I did not write the blog post or do the investigation.

Show threadEnno Rehling3d ago
@lproven hardly the worst part of this, but "The backend is WordPress with a custom REST API"? Why would that be your choice of technology for a REST API?
Except I've met my share of WordPress devs, and they tend to fall into that "every problem is a nail" trap.