I decompiled the White House's new app

Posted by amarcheschi 2 days ago

I decompiled the White House's new app(thereallo.dev)

604 points | 222 commentspage 4

trimethylpurine 2 days ago|

I don't see what the fuss is about. This all looks pretty standard. I use random people's stuff all the time. Isn't that the point of open source?

Did you find something malicious in the random GitHub repo? If so, you should write an article about that instead.

kevinsync 2 days ago||

Using somebody's stuff is different than hot-linking directly to a hosted version of it, even just from the perspective that dude could delete it at any time and break the whole app.

trimethylpurine 2 days ago||

That's fair. I download and embed, personally. Still, it's not a rant worthy mistake, honestly. Suggest a better approach, sure.

array_key_first 2 days ago|||

It's definitely a rant worthy mistake because this would literally never happen in any professional app anywhere. This is a supply chain risk.

trimethylpurine 2 days ago||

Microsoft? Okta? JetBrains? If these are amateurs, who is a professional developer?

https://www.encryptionconsulting.com/top-10-supply-chain-att...

Are you aware that common libraries like Bootstrap, FontAwesome, and HTMX walk developers through linking to their CDNs directly? In fact, FontAwesome recommends it for CDN performance.

I think you're dangerously mistaken if you believe that it "literally never" happens. It literally does happen all the damned time. And, for your own safety and others', you should assume that when you use any app for which you don't have the source code.

array_key_first 2 days ago||

Linking to a CDN is for development only. Once the app is build you build your dependencies into the app. You don't fetch them at runtime and run them. Not only for security, but also for performance.

There's also a difference between using a CDN for, say, React and a random github project hosted by some dude.

trimethylpurine 1 day ago||

Yeah I agree. Tell Microsoft. But, meanwhile this is normally used wrong in a lot of apps. It's not newsworthy that this one is also.

input_sh 2 days ago|||

It's always a better idea to make a local copy of it.

Imagine they're downloading a project directly from your GitHub account. Even if you're not doing anything malicious and have no intention of doing anything malicious even after you've been aware of this, now all of a sudden your GitHub account / email is a huge target for anyone that wants to do something malicious.

rendx 2 days ago|||

I don't know if you're being serious or not, but in case you are: There is a difference between (re)using other people's open sourced code, hopefully reviewed, and giving anyone in control of the third party repository the ability to run arbitrary code on your user's devices. Even if the "random GitHub repo" doesn't contain any malicious code right now, it may well contain some tomorrow.

torstenvl 2 days ago|||

Completely agree. This is really unique. Can you imagine if it were standard practice to be open to supply chain attacks like that, by blindly relying on hotlinked or unpinned dependencies?

trimethylpurine 2 days ago||

Why imagine? Let's take a quick look at what's actually happening right now. We can check some widely used libraries and see what their instructions are teaching new developers.

Boostrap (code snippet from their quick start instructions): ``` <head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <title>Bootstrap demo</title> <link href="https://cdn.jsdelivr.net/npm/bootstrap@5.3.8/dist/css/bootst..." rel="stylesheet" integrity="sha384-sRIl4kxILFvY47J16cr9ZwB07vP4J8+LH7qKQnuqkuIAvNWLzeN8tE5YBujZqJLB" crossorigin="anonymous"> </head>

Pay close attention, they are inviting the new developer to link not just to Bootstrap, but to Popper!

HTMX (code snippet from their quick start guide): ``` <script src="https://cdn.jsdelivr.net/npm/htmx.org@2.0.8/dist/htmx.min.js"></script>  <button hx-post="/clicked" hx-swap="outerHTML"> Click Me </button> ```

Fontawesome: A video quick start guide and instructions that recommends using the direct link to the kits via CDN for performance!

Look, I certainly don't think they should be used this way. But, to say that it's unique to the White House app? I definitely wouldn't say that. In fact, I think you've dangerously overestimated the status quo.

habinero 2 days ago|||

They have not. CDNs are specifically meant for demo/non-critical usage, to make it easy for amateurs to try out the library.

You don't do this in any non-trivial system.

trimethylpurine 1 day ago||

According to FontAwesome you're wrong. Their instructions say that their CDN is the recommended way to use their kits.

So, it's nice that you don't do this. But there's nothing special about the White House app doing it. It's very common.

torstenvl 2 days ago||||

I was being sarcastic. Although hot linking is not particularly common, it's common enough; and unpinned dependencies are just as much if not more of a supply chain attack risk.

I'd bet something like 70+% of all JS apps are inadequately protected against the risk of a malicious actor gaining access to a dependency's repo.

Pearlclutching over this while ignoring the lessons of `left-pad` and `colors` is biased motivated reasoning at best.

trimethylpurine 1 day ago||

Awesome. Now that I know you were being sarcastic it's hilarious. It's amazing how difficult it is to tell from text.

magackame 2 days ago|||

Huh? But there are integrity checks (none in htmx case, which is strange), to prevent exactly this attack.

trimethylpurine 1 day ago||

I'm not sure I follow. How does an integrity check help when the source is compromised? The developer doesn't know that their repo is compromised. They continue posting legitimate hashes because the repo is legitimately compromised.

lukewarm707 1 day ago|||

even open source is not that trustworthy.

there are several corpo open source ai apps that have rce built in.

to cut a long story short they pull their config from the developer's server on startup. that config has user level permissions giving rce.

some have no rce but get remote executed exfiltration of all the prompts. the app pulls its posthog config on startup and can just take all the keyboard inputs.

submit a disclosure and they do nothing or accuse of 'ai slop reports' despite being vibe coded themselves

xocnad 2 days ago|||

All good for you to make those choices for yourself. Your response seems to be show ignorance of all the recent supply chain attacks that have occurred. You can imagine that given the situation with the shoe gifts that many high up members of the administration and cabinet members are running this app.

trimethylpurine 2 days ago||

I'm critical of the author.

I'm well aware of supply chain attacks. But this isn't a supply chain attack. If it were, the article would be way more interesting.

The supply chain attack articles are interesting exactly because this is so common. So what's special here other than it being loosely related to a disliked political figure? HN isn't supposed to be an especially political website.

"A common app is doing the same thing that basically every other app is doing."

Is that a good headline? No. And this isn't a good article.

xocnad 1 day ago||

> I'm well aware of supply chain attacks. But this isn't a supply chain attack. If it were, the article would be way more interesting.

It's an article that includes coverage of the exposure to supply chain attacks, mainly via directly linking in https://lonelycpp.github.io/react-native-youtube-iframe/ifra.... You seem to be flippantly dismissing this as insignificant given the people who are probably running this app.

> HN isn't supposed to be an especially political website.

Yes but when technology and politics cross paths...

trimethylpurine 1 day ago||

There's nothing you could exploit here. There's nothing special about this app. This article is about nothing. Not politics and not technology.

If you enjoy reading about how a guy smelled another guy's underpants and discovered that they smell like everyone else's, then rest assured, you can continue reading it over and over again if you like. I'm not able to down vote, so your enjoyment is safe from my opinion.

If he finds something interesting in there (I hope he does), and writes another article I might miss it, unfortunately, because I've written him off as a trash piece author.

EDIT: I went to use this as an example. Hilarious, this blog now has a bad SSL cert, just to put the icing on the cake.

gitaarik 2 days ago|||

For an Android game downloaded from the Play store I wouldn't find these findings surprising at all. But from an official app from the White House? Well ok, from THIS White House - you're completely right to expect that.

rpdillon 2 days ago||

The dependencies weren't vendored, meaning their behavior can change at any time if a malicious actor gains control of that third-party repo.

This is bad for security.

trimethylpurine 2 days ago||

Yes, I agree. And it's sadly, as we can see, still fairly standard practice to ignore it.

replwoacause 2 days ago||

lol honestly all of this tracks given the current administration. i'm actually surprised it isn't worse. but yeah, amateur hour for sure.

jfengel 2 days ago|

"Amateur hour" is basically their theme. They were swept in on a wave of distrust for people who know what they're talking about. They were elected to tear down Chesterton's fence, even (and especially) the parts holding in the face-eating leopards.

To mix the metaphors further, they (the politicians and their supporters) fancy themselves the kind to dream of things that never were and ask why not. Why not have a war in Iran? You won't know until you give it a try.

ranzhh 2 days ago||

Are those references to 45 and 47 "Easter Eggs" to Trump's presidency number(s)? As in, forty-five-press (45th president) and Version 47.x.x (47th president), as well as the text message hotline (45470).

jruz 2 days ago||

Is this a surprise to anyone?

andix 2 days ago||

I would've expected worse. :)

analog31 2 days ago||

>>> This is a government app loading code from a random person's GitHub Pages.

A random person with pronouns, no less. That means the code is “woke.”

wincy 2 days ago||

Every default setup on every website and app for the last five or so years has been encouraging users to add pronouns, making it difficult to avoid it, even my iPhone asks me to add each person’s pronouns when I add a new contact. I don’t know why Siri needs to know that, but it’s there. There’s one website I use that won’t let you sign up as a contributor without “completing your profile”, which includes mandatory pronouns.

I guess there’s some workplaces where it’d be useful for me to update these, probably the ones Apple PMs work in.

4ndrewl 2 days ago|||

It's often useful for me so that I can know how to address you/refer to you, especially if it's a foreign (to me) name I'm unfamiliar with.

analog31 2 days ago||||

Well, it's past the edit window, and of course I accept the downvotes, but I realize that I should have provided a bit more context.

In the US, the faction in power right now is attacking perceived symbols of "woke" ideology, and one of them is the use of pronouns.

As I understand it, some government agencies are even forbidding the use of pronouns in e-mail signatures etc. So it struck me as ironic that a software component with pronouns would have evaded their notice.

I have no problem with the use of pronouns.

array_key_first 2 days ago|||

I would imagine it would be useful in 100% of English-speaking workplaces because all workplaces have the expectation of English communication, which pronouns are essential for. If I'm writing an email or a chat message, I will typically have to use a pronoun.

Inferring pronouns has always been dumb and annoying. Many names don't have obvious pronouns, for example, the name "Taylor". Is that he or she? And clicking the little profile icon and squinting to see if someone is a man or a woman is also a waste of time. It's a lot easier for everyone if it just tells you the pronoun.

vdqtp3 2 days ago||

> If I'm writing an email or a chat message, I will typically have to use a pronoun.

It's not that hard to just avoid it. I send emails to a lot of people I haven't spoken to and don't know their gender, so I write gender-neutral emails.

array_key_first 2 days ago||

Sure, but why would I go out of my way to use gender neutral pronouns like "they" when they can just tell me their preferred pronouns?

defrost 2 days ago||

It's only "out of your way" if you never learned to write gender neutral from the ground up.

In the 1970s and 1980s it was the default in many Commonwealth locales to not assume that (say) Rob Owens writing mathematics and engineering papers was male (as it turns out, she isn't, the Rob is short for Robyn).

So much correspondence was with people who had Initial Surname or abstract handles that didn't broadcast gender.

array_key_first 2 days ago||

But if someone has the ability to broadcast their preferred pronouns and we built that in, and it costs nothing, then what's the problem?

I guess I'm just not really understanding people getting upset at what I perceive to be completely made up problems. We have technology, we no longer have to assume gender neutral pronouns for everyone. They can just tell us the pronouns they want.

defrost 2 days ago||

I cannot see the need for anything other than neutral pronouns when discussing permutations with either G.Egan or C.Praeger.

kelnos 2 days ago||

I wonder if that person might find it amusing to take down the file the app uses

anotherevan 2 days ago||

My admittedly more puerile thought upon reading that bit was to change to code so it only loads goatse.

ThaFresh 2 days ago||

nice work, so they can get your location and have ICE scoop you up if required

colesantiago 2 days ago||

This is a pretty standard decomplation of an Android app.

I am sure if you decompile other apps used by hundreds of thousands of people, you would find all sorts of tracking in there.

Thanks for helping the White House improve their app security for free though.

yellow_lead 2 days ago||

Even in the apps I've worked on, you won't find us loading arbitrary JS from a random GitHub user's account.

-retardando- 2 days ago|||

> you won't find us loading arbitrary JS from a random GitHub user's account

You load arbitrary JS from a random GitHub user's NPM package. What's the difference?

colesantiago 2 days ago|||

> Even in the apps I've worked on, you won't find us loading arbitrary JS from a random GitHub user's account.

You'd be surprised how many apps inside have hacks and workarounds because deadlines.

crtasm 2 days ago||

Let's see if anyone can give an example of such a high profile app doing something similar.

flutas 2 days ago||

I've worked on a three letter sports orgs (one of NFL, NBA, NHL, etc) Android app.

I always joke that we could probably tell you what color and type your underwear is on any random day with how much data is siphoned off your phone.

As for loading random JS, yeah also seen that done that before. "Partner A wants to integrate their SDK in our webviews." -> "Partner A" SDK is just loading a JS chunk in that can do whatever they want in webviews, including load more files.

Don't get me started on the sports betting SDKs...

Though we do have a Security team constantly scanning SDKs and the endpoints for changes in situations like this.

jasonlotito 2 days ago||

> As for loading random JS, yeah also seen that done that before.

Partner A is not random JS. The assumption there is 1) you have some official signed agreement with them and 2) you've done your due diligence to ensure you can use them in this way.

It's not just some person's GH repo who can freely change that file to whatever they want.

Hotlinking is as old as the internet, and a well-worn security threat.

gitaarik 2 days ago||

True for any random game app in the Play store, and flashlight and note apps. But well reputable companies don't put too much weirdness into their apps.

periodjet 2 days ago|

> Is it what you'd expect from an official government app? Probably not either.

Since when is the government a slick and efficiently run outfit that produces secure and well-done software products? Does no one remember the original Obamacare launch?

It’s hard to imagine a smug article like this dissecting a product of some other administration. There’s something very weird and off about stuff like this.

mmastrac 2 days ago||

You omitted these items immediately above that line:

Injects JavaScript into every website you open through its in-app browser to hide cookie consent dialogs, GDPR banners, login walls, signup walls, upsell prompts, and paywalls.

Has a full GPS tracking pipeline compiled in that polls every 4.5 minutes in the foreground and 9.5 minutes in the background, syncing lat/lng/accuracy/timestamp to OneSignal's servers.

Loads JavaScript from a random person's GitHub Pages site (lonelycpp.github.io) for YouTube embeds. If that account is compromised, arbitrary code runs in the app's WebView.

Loads third-party JavaScript from Elfsight (elfsightcdn.com/platform.js) for social media widgets, with no sandboxing.

Sends email addresses to Mailchimp, images are served from Uploadcare, and a Truth Social embed is hardcoded with static CDN URLs. None of this is government infrastructure.

Has no certificate pinning. Standard Android trust management.

Ships with dev artifacts in production. A localhost URL, a developer IP (10.4.4.109), the Expo dev client, and an exported Compose PreviewActivity.

Profiles users extensively through OneSignal - tags, SMS numbers, cross-device aliases, outcome tracking, notification interaction logging, in-app message click tracking, and full user state observation.

periodjet 2 days ago||

[flagged]

mmastrac 2 days ago||

> It’s hard to imagine a smug article like this dissecting a product of some other administration

Did the other administration put a "fake news" and "report to ICE" and grifting link to their own social network in their apps? I feel like you are perhaps papering over a whole lot of general shittiness of this app that didn't exist in less amateur previous administrations that at least tried to follow the norms.

fortran77 2 days ago||

[flagged]

ceejayoz 2 days ago|||

You can report anything.

The only case they cite of an actual intervention resulting seems... entirely legit?

> An adult entertainment club lost its liquor license after a dancer and others were seen not wearing masks, the state said.

People call 911 for goofy things, too.

braebo 2 days ago||||

Did they break down your door or shoot your SO in the head for not wearing a mask?

phist_mcgee 2 days ago|||

Isn't that state based?

Also I'd say the federal government's approach to ICE deportations is a little stronger than even the COVID measures.

felipellrocha 2 days ago|||

You think this administration is trustworthy?

Ylpertnodi 2 days ago||

Yes, but considerably less than the iranian administration. Actually, no.

rootusrootus 2 days ago|||

> Since when is the government a slick and efficiently run outfit that produces secure and well-done software products? Does no one remember the original Obamacare launch?

Wasn't that written by a private company? Canadian, IIRC.

array_key_first 2 days ago|||

> It’s hard to imagine a smug article like this dissecting a product of some other administration.

Yes, that's because this administration is uniquely awful. Basically every single thing this administration does is bad. Often so bad that it's legitimately impressive just how incompetent our leaders our.

Obviously previous administrations were not perfect, but to sit here and pretend that they are on the same level is delusion.

dinkumthinkum 2 days ago||

[flagged]

jibal 2 days ago||

> It’s hard to imagine a[n informative] article like this dissecting a product of some other administration.

A baseless ideological claim.