The White House Android app contains a dormant GPS pipeline that polls location every 4.5 minutes foreground and 9.5 minutes background and syncs coordinates to OneSignal; it also loads arbitrary JavaScript from a public GitHub account into its WebView and strips cookie‑consent/paywall UI in an in‑app browser. Those are concrete, auditable behaviors inside an official federal app built with Expo SDK 54 and a WordPress backend.
— If official apps routinely include such telemetry and remote code, they create persistent privacy, supply‑chain and interception risks that erode public trust and could be abused by hostile actors or misconfigured by administrators.
BeauHD
2026.05.06
100% relevant
APK analysis reveals OneSignal location uploads (4.5/9.5 minute polling), JavaScript loaded from an arbitrary GitHub repo for YouTube embeds, and missing SSL certificate pinning.
← Back to All Ideas