I Decompiled the White House's New App (blog.thereallo.dev)

A security researcher reports decompiling the White House’s official Android app and says it contains code to inject JavaScript/CSS into the app’s WebView to remove cookie banners, consent dialogs, login gates, and paywalls on third-party sites. The researcher also claims the app includes a built-in GPS tracking pipeline using OneSignal that can poll location every few minutes and send location data to OneSignal’s servers, plus tracking of notification and in-app events. Finally, the post alleges the app loads third-party scripts (including YouTube embed HTML from a personal GitHub Pages site and social widgets from Elfsight) without strong isolation, meaning those external sources could change what runs inside the WebView.