If you want to stay up-to-date with the inner workings of the current administration, they've opened an official channel just for you — the new White House app promises to deliver "unparalleled" access to the Trump Administration. It's described as a "powerful" experience providing a direct line to the White House, allowing Americans to receive breaking alerts, watch live streams of briefings, and access a "dynamic media library." You can also purportedly send your feedback right to the administration, no middle man involved. It sounds a lot like the White House website with promises of a "golden age" returning. There's one major problem — or a few of them, rather — and they all tie into how the app collects user data.
As noted by Mashable, the app requests permission to access sensitive information, including location data and network connections. If all permissions are granted, it can access biometrics, modify or delete contents of shared storage, prevent your phone from sleeping, receive data from the internet, and more.
Now, some actions sound common, like the boilerplate "receiving data from the internet" permission, which most apps request if they're not offline. Location data is another example — many mobile apps collect your private data and location information. But the White House app can access both your approximate location as well as your precise GPS location, and one user who decompiled the app reports that it's doing this about every 4.5 minutes while sending the information to a third-party server. The recipient is OneSignal, a company that delivers mobile push notifications through location-based campaigns. However, that's not the only privacy issue with the new app.
The app has a built-in WebView for opening external links it provides — in other words, a web browser embedded within an app. The same user that discovered the location logging intervals found that, every time the app loads a webpage with this tool, it injects a JavaScript snippet and CSS code into the page to bypass cookie consent dialogs, GDPR banners, login gates, paywalls, upsell prompts, and consent management fields. For YouTube embeds, the app's WebView was seen loading an iFrame library from a random GitHub user's personal page. This has been highlighted as a potential security problem, because if that GitHub account were to become compromised, a hacker could serve "arbitrary HTML and JavaScript" code to anyone using the app's WebView.
There's even more to be concerned about behind the scenes in the White House app, according to the analysis done. It lacks certificate pinning, instead relying on Android's standard TrustManager for SSL, which provides less resistance against potential man-in-the-middle attacks. Through OneSignal, personal user information can be profiled, including SMS numbers and interactions with notifications. Much like the code for YouTube embeds, the app's WebView loads third-party JavaScript from Elfsight widgets with no redundancies or sandboxing.
Judging by the analysis, the app appears to be a technical privacy nightmare that more than a few people might want to avoid. These issues are more than a little concerning, especially during a time when widespread surveillance campaigns, like automated license plate readers, social media data collection, and secret traffic cameras in places you'd never expect, seem to be on the rise.
Comments (0)