The White House recently unveiled a new app to give the public “unfiltered” access to “key priorities,” “historic moments” and “policy breakthroughs.” Now, it’s directing agencies to help install it on the government phones of federal employees.
The Trump administration launched the app, which promises to “[keep] you connected to President Donald J. Trump and his administration like never before,” in March.
The push to install the app on the devices of millions of government employees drew surprise from current and former federal officials, who called the move highly unusual and even dangerous.
But Chinese phones and EV’s are dangerous to national security.
Two things definitely cannot be bad at the same time
Here’s the summary of the app from a few months ago: https://thereallo.dev/blog/decompiling-the-white-house-app
- Injects JavaScript into every website you open through its in-app browser to hide cookie consent dialogs, GDPR banners, login walls, signup walls, upsell prompts, and paywalls.
- Has a full GPS tracking pipeline compiled in that polls every 4.5 minutes in the foreground and 9.5 minutes in the background, syncing lat/lng/accuracy/timestamp to OneSignal’s servers.
- Loads JavaScript from a random person’s GitHub Pages site (lonelycpp.github.io) for YouTube embeds. If that account is compromised, arbitrary code runs in the app’s WebView.
- Loads third-party JavaScript from Elfsight (elfsightcdn.com/platform.js) for social media widgets, with no sandboxing.
- Sends email addresses to Mailchimp, images are served from Uploadcare, and a Truth Social embed is hardcoded with static CDN URLs. None of this is government infrastructure.
- Has no certificate pinning. Standard Android trust management.
- Ships with dev artifacts in production. A localhost URL, a developer IP (10.4.4.109), the Expo dev client, and an exported Compose PreviewActivity.
- Profiles users extensively through OneSignal - tags, SMS numbers, cross-device aliases, outcome tracking, notification interaction logging, in-app message click tracking, and full user state observation.
The app also raised initial concerns about its potential GPS tracking capability, but the White House has since removed that functionality.
At least that’s been removed. If only that were the only issue…
That app has more holes than Swiss cheese.
NGL, if I was working for the government, that phone would NEVER get used and I’d leave it in a drawer at my desk. Turned off.
I doubt they’d keep you long. Government jobs have been no fun for quite a while.
makes sense now
I guarantee it’ll be badly coded and introduce vulnerabilities, which for government phones could be national security threats
100% chance it will also spy on the phones and send that data to an insecure MAGA server piped straight through to ICE for filtering out anyone not loyal to the Reich, I mean Trump.
I’m pretty sure we’ve known that for a fact since April.
Honestly, good. I am pretty anti- national security at the moment.
Good news! So are the Russians and Chinese and Israelis and…
At what point do these all cancel each other out?
The same time we all die in a nuclear winter.
They were never going to just pack up and leave. If the Plan A direct coup doesn’t work, they’ll still have the Plan B of infested IT infrastructure.
There’s no way this wasn’t vibe coded with unsecured code from sketchy githubs and tons of foreign intelligence backdoors built in.
Yes
If there are any people in my (government) workplace who still support Trump, they keep it to themselves. Everyone I know hates the entire admin. This app will probably only make it worse.
Lmao.
Org-managed iOS/Android is not “install whatever some agency stapled to a PDF.” The app gets denied by identity, not a fucking sysadmin clicking through a GUI on orders from above.
iOS bundle ID + Apple Team ID + signing identity; Android package name + signing cert digest + Managed Play state. If it shows up anyway, the device will be dropped out of compliance and Conditional Access cuts it off from mail, Teams, VPN, SSO, managed browser, org data. I essentially turn the phone into a kids toy until I get my eyes on the situation.
This ain’t a checkbox in the MDM console. The console is downstream. The source of truth is a repo. A service principal polls the live MDM tenant over API, diffs app approvals, assignments, compliance rules, and app-protection policies against the signed config, then PATCHes the deny back if some genius removes it. The audit log fires, SIEM ingests it, the pipeline reverts it, and the diff names the admin. You are not sneaking spyware into my mobile fleet. 😊
This is literally what I would tell an attacker to their face. I would not publicly even hint at the lengths I go or would go to keep our infrastructure frustratingly safe from shit exactly like this
ruzzia playbook
[keep] you connected to President Donald J. Trump and his administration like never before,
Probably for similar reasons of having images of Big Brother’s, oops, I mean, Donvict’s, ugly mug staring at people from the DOJ building…
Maintain the cult-like air of omniscience around old doddering dozing donnie…the guy barely knows where the fuck he is or what he’s even babbling about, but his handlers need to give everyone the impression he’s really on top of everything…
Big Brother is Watching You
1984 is dead. Long live 1984
Probably full govt spyware.
it’s their government phones. if it’s not already full of spyware, I’d be disappointed.
If it’s not your phone\computer (ex work\government devices) and if you are super paranoid even if it is your phone\computer, always assume someone is always watching and can see\recreate what you are doing.
This doesn’t change anything, not practically.
ALWAYS assume everything you do on a device provided by your employer is being monitored
It absolutely does, in a number of ways. First, this thing could be straight up spying malware or could be updated to be such in the future.
It’s a ‘company phone’ you don’t control it; so you can’t trust anything on it.
Always use work provided devices only for work related stuff. There is every reason to believe the can and do monitor everything that happens on them.
This is true of government devices and private company devices.
It’s the “work related” stuff that I’m concerned about leaking.
Oh, that? Yeah, well …. Yeah. The entire administration is incompetent narcissists addicted to substances, with the most corrupt President ever at the head, so yeah. Audi don’t forget the pillaging that doge did. Idk, it’s a total mess, and all sorts of secrets and personal information is floating around now. :(
From a personal perspective, it changes nothing if you already use a work device with the knowledge your use is being monitored.
From a general data security point of view its terrible for the reasons you describe, but that’s a government problem not a personal one
You’re not exactly inspiring hope.
Why would you expect privacy on a work system?
It injects content into websites, I’s say that changes a LOT actually.
And what’s stopping Trump just convincing MAGATS to install it willingly?
If they want to inject data into websites (whatever that means) then there easier ways when you have an army of morons hanging off your every word
