I decompiled the White House's new app

The White House released an app on the App Store and Google Play. They posted a blog about it. "Unparalleled access to the Trump Administration."

It took a few minutes to pull the APKs with ADB, and threw them into JADX.

Here is everything I found.

It's a React Native app built with Expo (SDK 54), running on the Hermes JavaScript engine. The backend is WordPress with a custom REST API. The app was built by an entity called "forty-five-press" according to the Expo config.

The actual app logic is compiled into a 5.5 MB Hermes bytecode bundle. The native Java side is just a thin wrapper.

Version 47.0.1. Build 20. Hermes enabled. New Architecture enabled. Nothing weird here. Let's keep going.

Two things stand out here. First, there's a plugin called withNoLocation. Second, there's a plugin called withStripPermissions. Remember these. They become relevant very soon. OTA updates are disabled. The Expo update infrastructure is compiled in but dormant.

I extracted every string from the Hermes bytecode bundle and filtered for URLs and API endpoints. The app's content comes from a WordPress REST API at whitehouse.gov with a custom whitehouse/v1 namespace. Here are the endpoints:

• /wp-json/whitehouse/v1/home: Home screen
• /wp-json/whitehouse/v1/news/articles: News articles
• /wp-json/whitehouse/v1/wire: "The Wire" news feed
• /wp-json/whitehouse/v1/live: Live streams
• /wp-json/whitehouse/v1/galleries: Photo galleries
• /wp-json/whitehouse/v1/issues: Policy issues
• /wp-json/whitehouse/v1/priorities: Priorities
• /wp-json/whitehouse/v1/achievements: Achievements
• /wp-json/whitehouse/v1/affordability: Drug pricing
• /wp-json/whitehouse/v1/media-bias: "Media Bias" section
• /wp-json/whitehouse/v1/social/x: X/Twitter feed proxy

Other hardcoded strings from the bundle: "THE TRUMP EFFECT", "Greatest President Ever!", "Text President Trump", "Send a text message to President Trump at 45470", "Visit TrumpRx.gov", "Visit TrumpAccounts.gov". There's also a direct link to the ICE tip reporting form. In a news app. It's a content portal. News, live streams, galleries, policy pages, social media embeds, and promotional material for administration initiatives. All powered by WordPress.

Now let's look at what else it does. The app has a WebView for opening external links. Every time a page loads in this WebView, the app injects a JavaScript snippet. It hides cookie banners, GDPR consent dialogs, OneTrust popups, privacy banners, login walls, signup walls, upsell prompts, paywall elements, and CMP boxes. It forces body { overflow: auto !important } to re-enable scrolling on pages where consent dialogs lock the scroll. An official United States government app is injecting CSS and JavaScript into third-party websites to strip away their cookie consent dialogs, GDPR banners, login gates, and paywalls.

Remember withNoLocation from the Expo config? The plugin that's supposed to strip location? Yeah. The OneSignal SDK's native location tracking code is fully compiled into the APK. Tracking requests GPS at 4.5-minute foreground intervals and 9.5-minute background intervals. Latitude, longitude, accuracy, timestamp, and whether the app was in the foreground or background are all captured and synced to OneSignal's servers.

The app embeds YouTube videos using the react-native-youtube-iframe library. This library loads its player HTML from a personal GitHub Pages site. If that GitHub account gets compromised, whoever controls it can serve arbitrary HTML and JavaScript to every user of this app. This is a government app loading code from a random person's GitHub Pages. The app also loads third-party JavaScript from Elfsight to embed social media feeds. Elfsight is a commercial SaaS widget company. Their JavaScript runs inside the app's WebView with no sandboxing.