I decompiled the White House's new app

Posted by amarcheschi 3 hours ago

I decompiled the White House's new app(thereallo.dev)

199 points | 64 comments

iancarroll 2 hours ago|

A bit skeptical of how this article is written as it seems to be mostly written by AI. Out of curiosity, I downloaded the app and it doesn't request location permissions anywhere, despite the claims in the article.

I've noticed Claude Code is happy to decompile APKs for you but isn't very good at doing reachability analysis or figuring out complex control flows. It will treat completely dead code as important as a commonly invoked function.

Groxx 1 hour ago||

The permissions snippet they show also doesn't include location, and you can't request location at runtime at all without declaring it there.

I'd verify all this stuff for myself, but Play won't install it in my phone so I can't really get the APK. Maybe because I use Graphene...? but I don't know all the ways they can restrict it, maybe it's something else (though for a pixel 9a it's rather strange if it's hardware based).

--- EDIT ---

To be specific / add what I can check, this is what my Play Store "about -> permissions" is showing:

    Version 47.0.1 may request access to
    Other: 
      run at startup
      Google Play license check
      view network connections
      prevent phone from sleeping
      show notifications
      com.google.android.c2dm.permission.RECEIVE
      control vibration
      have full network access

which appears fairly normal, and does not include location, and I think Play includes runtime location requests there. Maybe there's a version-rollout happening, or device-type targeting?

frizlab 2 hours ago|||

> it doesn't request location permissions anywhere, despite the claims in the article

The article does not claim the app requests the location. It claims it can do it with a single JS call.

esprehn 1 hour ago|||

It can request with a JS call. It can't passively collect it without you approving first. The article is written like calling that JS function will turn on location tracking without consent.

mattdeboard 1 hour ago||

He explicitly says he can't determine it, but that the location tracking as configured will turn on once the user grants consent. All true statements.

How would you have written it differently

logifail 36 minutes ago||

"If the user chooses to opt-in and grants location-tracking permission, the app is then, and only then, able to track the user's location?"

dmitrygr 1 hour ago|||

> The article does not claim the app requests the location. It claims it can do it with a single JS call.

so can ... any other code anywhere on a mobile device? That is how API work...

david_allison 1 hour ago||

You need to state the permissions you *may* request/use in AndroidManifest.xml. This data can then be displayed to users pre-installation.

From the (limited) article, it doesn't seem they do this: https://thereallo.dev/blog/decompiling-the-white-house-app#p...

----

EDIT: I'm mistaken. From the Play Store[0] it has access to

* approximate location (network-based)

* precise location (GPS and network-based)

[0] https://play.google.com/store/apps/details?id=gov.whitehouse...

This seems to disagree with:

> The location permissions aren't declared in the AndroidManifest but requested at runtime

*shrug*, someone should dig deeper. It looks like the article may not match reality.

dijksterhuis 2 hours ago||

what version are you on?

from the iphone app store: version 47.0.1 - minor bug fixes - 34 minutes ago

while the parent posted 18 minutes ago

they may have patched the location stuff as part of the “minor bug fixes”?

filoleg 1 hour ago|||

I have the iOS version from yesterday, haven't updated the app yet.

No location permission request prompting encountered. In system settings, where each app requesting location data is listed, it isn't present either.

SoftTalker 3 hours ago||

Looks like what you might expect in a standard marketing app from a consultancy. They probably hired someone to develop it, that shop used their standard app architecure which includes location tracking code and the other stuff.

somehnguy 3 hours ago||

Interesting. The site is nearly unusable to me unfortunately. '19 MBP w/ Chrome - scrolling stutters really bad

tredre3 1 hour ago||

Scrolling is extremely poorly behaved on that page for me too, Firefox 149 Windows 10. Which is quite ironic coming from an article that mainly criticizes the web dev aspects of the app!

imalerba 2 hours ago|||

Scrolling is so laggy it's annoying to follow on mobile (FF 151.0a1)

KomoD 1 hour ago|||

Does it for me too, chrome on a thinkpad

catlikesshrimp 2 hours ago|||

Not what you meant, but works fine on

Firefox 148.0.2 (Build #2016148295), 15542f265e9eb232f80e52c0966300225d0b1cb7 GV: 148.0.2-20260309125808 AS: 148.0.1 OS: Android 14

amarcheschi 1 hour ago||

I agree, the website of the original article is kinda terrible

r4indeer 3 hours ago||

The argument regarding no certificate pinning seems to miss that just because I might be on a network that MITM's TLS traffic doesn't mean my device trusts the random CA used by the proxy. I'd just get a TLS error, right?

subscribed 25 minutes ago||

Not if someone can issue the certificate signed by the CA your phone trust.

Imagine being in a cafe nearby, say, embassy of the certain north African country known for pervasive and wide espionage actions, which decides to hijack traffic in this cafe.

Or imagine living in the country where almost all of the cabinet is literally (officially) being paid by the propaganda/lobbying body of such country.

Or living int he country where lawful surveillance can happen without the jury signoff, but at a while of any police officer.

Maybe its not common but frequent enough.

layer8 6 minutes ago||

> Imagine being in a cafe nearby, say, embassy of the certain north African country known for pervasive and wide espionage actions, which decides to hijack traffic in this cafe.

How would they get your phone to trust their CA? Connecting to a Wi-Fi network doesn’t change which CAs a device trusts.

thegagne 3 hours ago||

Not if you are part of an org that uses MDM and pushes their own CA to devices.

r4indeer 3 hours ago||

Ok, fair point. However, I would consider any MDM-enabled device fully "compromised" in the sense that the org can see and modify everything I do on it.

p2detar 2 hours ago||

An MDM orga cannot install a trusted CA on non-supervised (company owned) devices. By default on BYOD these are untrusted and require manual trust. It also cannot see everything on your device - certainly not your email, notes or files, or app data.

layer8 4 minutes ago|||

If it is untrusted, you also won’t have a TLS connection be established based on that CA.

somebudyelse 1 hour ago|||

[dead]

sitzkrieg 3 hours ago||

i assumed it was malware out the gate. yep

nine_k 1 hour ago||

> An official United States government app is injecting CSS and JavaScript into third-party websites to strip away their cookie consent dialogs, GDPR banners, login gates, and paywalls.

So at least it does something actually beneficial for the user! I wish it could go even further, the way Reader Mode in a browser would go.

oefrha 3 hours ago||

> An official United States government app is injecting CSS and JavaScript into third-party websites to strip away their cookie consent dialogs, GDPR banners, login gates, and paywalls.

Giving people a taste of web with Ublock Origin annoyance filters applied, refreshing. Can’t believe orange man regime is doing one thing right.

ThaFresh 2 hours ago||

nice work, so they can get your location and have ICE scoop you up if required

ranzhh 1 hour ago||

Are those references to 45 and 47 "Easter Eggs" to Trump's presidency number(s)? As in, forty-five-press (45th president) and Version 47.x.x (47th president), as well as the text message hotline (45470).

analog31 46 minutes ago|

>>> This is a government app loading code from a random person's GitHub Pages.

A random person with pronouns, no less. That means the code is “woke.”

More comments...