I Decompiled the White House's New App
blog.thereallo.dev
The official White House Android app has a cookie/paywall bypass injector, tracks your GPS every 4.5 minutes, and loads JavaScript from some guy's GitHub Pages.
Social Media

What Is This App?

It’s a React Native app built with Expo (SDK 54), running on the Hermes JavaScript engine. The backend is WordPress with a custom REST API. The app was built by an entity called “forty-five-press” according to the Expo config.

  • Fmstrat@lemmy.worldEnglish
    7·
    23 hours ago

    The app uses standard Android TrustManager for SSL with no custom certificate pinning. If you’re on a network with a compromised CA (corporate proxies, public wifi with MITM, etc.), traffic between the app and its backends can be intercepted and read.

    That doesn’t seem right. You would still need the compromised CA cert to be installed on your device. This isn’t going to be a problem when connecting to a public Wifi.

    The rest of the article is bonkers, though. Classic corporate data-grab app, and then some.

    • prenatal_confusion@feddit.orgEnglish
      4·
      23 hours ago

      Ten years ago when businesses really needed to offer wifi (train for example) they thought “hey we would like to have something in return!”. I got offered a new ca a couple of times in the captive portal.

      Yeah, not best practice but not unheard of.