from the donald-trump-gets-into-vibe-coding dept
Call me crazy, but I don’t think an official government app should be loading executable code from a random person’s GitHub account. Or tracking your GPS location in the background. Or silently stripping privacy consent dialogs from every website you visit through its built-in browser. And yet here we are.
The White House released a new app last week for iOS and Android, promising “unparalleled access to the Trump Administration.” A security researcher, who goes by Thereallo, pulled the APKs and decompiled them — extracting the actual compiled code and examining what’s really going on under the hood. The propaganda stuff — cherry-picked news, a one-tap button to report your neighbors to ICE, a text that auto-populates “Greatest President Ever!” — which Engadget covered, is embarrassing enough. The code underneath is something else entirely.
Let’s start with the most alarming behavior. Every time you open a link in the app’s built-in browser, the app silently injects JavaScript and CSS into the page. Here’s what it does:
It hides:
- Cookie banners
- GDPR consent dialogs
- OneTrust popups
- Privacy banners
- Login walls
- Signup walls
- Upsell prompts
- Paywall elements
- CMP (Consent Management Platform) boxes
It forces
body { overflow: auto !important }to re-enable scrolling on pages where consent dialogs lock the scroll. Then it sets up a MutationObserver to continuously nuke any consent elements that get dynamically added.An official United States government app is injecting CSS and JavaScript into third-party websites to strip away their cookie consent dialogs, GDPR banners, login gates, and paywalls.
Yiiiiiiiiiiiiikes.
And, yes, I can already hear a certain subset of readers thinking: “Sounds great, actually. Cookie banners are annoying.” And sure, there are good reasons why millions of people use browser extensions like uBlock Origin to do exactly this kind of thing. In fact, if you don’t use tools like that, you probably should. Those consent dialogs are frequently implemented as obnoxious dark patterns, and stripping them out is a perfectly reasonable personal choice.
But the key word there is choice. When you install an ad blocker or a consent-banner nuker, you’re making an informed decision about your own browsing experience. When the White House app does it silently, on every page load, without telling you — that’s the government making that decision for you in a deceptive and technically concerning way. And those consent dialogs exist in the first place because of legal requirements, in many cases requirements that governments themselves have enacted and enforce. There’s something almost comically stupid about the executive branch of the United States shipping code that silently destroys the legal compliance infrastructure of every website you visit through its app.
Then there’s the location tracking. The researcher found that OneSignal’s full GPS tracking pipeline is compiled into the app:
Latitude, longitude, accuracy, timestamp, whether the app was in the foreground or background, and whether it was fine (GPS) or coarse (network). All of it gets written into OneSignal’s
PropertiesModel, which syncs to their backend.
The White House app. Tracking your location. Synced to a commercial third-party server. For press releases.
Oh and:
There’s also a background service that keeps capturing location even when the app isn’t active.
To be clear — and the researcher is careful to be precise about this — there are several gates before this tracking activates. The user has to grant location permissions, and a flag called _isShared has to be set to true in the code. Whether the JavaScript bundle currently flips that flag is something that can’t be determined from the decompiled native code alone. What can be determined is that, as the researcher puts it:
the entire pipeline including permission strings, interval constants, fused location requests, capture logic, background scheduling, and the sync to OneSignal’s API, all of them are fully compiled in and one
setLocationShared(true)call away from activating. ThewithNoLocationExpo plugin clearly did not strip any of this.
So at best, the people who built this app tried to disable location tracking and failed. At worst, they have it set up to actually use. The plumbing is all there, fully functional, waiting to be turned on. And this is detailed, accurate GPS data, collected every four and a half minutes when you’re using the app and every nine and a half minutes when you’re not, synced to OneSignal’s commercial servers. For a government app. That’s supposed to show you press releases.
While it’s true that the continued lack of a federal privacy law probably means this is all technically legal, it’s still a wild thing for an app from the federal government to do.
And it gets better. Or worse, depending on your perspective. The app embeds YouTube videos by loading player HTML from… a random person’s GitHub Pages account:
The app embeds YouTube videos using the
react-native-youtube-iframelibrary. This library loads its player HTML from:https://lonelycpp.github.io/react-native-youtube-iframe/iframe_v2.htmlThat’s a personal GitHub Pages site. If the
lonelycppGitHub account gets compromised, whoever controls it can serve arbitrary HTML and JavaScript to every user of this app, executing inside the WebView context.This is a government app loading code from a random person’s GitHub Pages.
Cool, cool. Totally normal dependency for critical government infrastructure.
It also loads JavaScript from Elfsight, a commercial SaaS widget company, with no sandboxing. It sends email addresses to Mailchimp. It hosts images on Uploadcare. It has a hardcoded Truth Social embed pulling from static CDN URLs. None of this is government-controlled infrastructure. The list goes on and on and on.
There’s way more in the full breakdown by Thereallo — this is just the highlights. The app is a toxic waste dump of code you should not trust.
Each of these findings individually might have a charitable explanation. Libraries ship with unused code all the time. Lots of apps use third-party services. Dev artifacts occasionally slip through. But stack them all together — the silent consent stripping, the fully compiled location tracking pipeline, the random GitHub dependency, the commercial third-party data flows, the dev artifacts in production, the zero certificate pinning — and the picture is software built by people who either don’t know or don’t care about the standards government software is supposed to meet.
Which brings us to the part that makes all of this even more inexcusable. The United States government used to have people whose entire job was to prevent exactly this kind of thing.
The U.S. Digital Service was created after the Healthcare.gov disaster during the Obama administration, specifically to bring real software engineering talent into the federal government. For over a decade, across three administrations — including Trump’s first term — USDS and its sibling organization 18F recruited experienced engineers, designers, and product managers from the private sector to build government technology that actually worked. These were people who would have caught a full GPS tracking pipeline sitting one function call from activation in what is supposed to be a press release reader, and who would never have loaded executable code from a random person’s GitHub account.
DOGE fired them. Elon Musk’s “Department of Government Efficiency” gutted USDS and 18F — the organizations that were actually doing what DOGE claimed to be doing — and replaced their expertise with… whatever this is. An app built by an outfit called “forty-five-press” according to the Expo config, running on WordPress, with “Greatest President Ever!” hardcoded in the source, loading code from some random person’s GitHub Pages, and shipping the developer’s home IP address to the public.
This is what you get when you fire the people who know what they’re doing and replace them with loyalists: a government app that strips privacy consent dialogs, has a GPS tracking pipeline ready to flip on, depends on infrastructure the government doesn’t control, and ships with the digital equivalent of leaving your house keys taped to the front door. But hey, at least it makes it easy to report your neighbors to ICE.
Filed Under: app, javascript injection, location tracking, privacy, security, white house, white house app
