I Decompiled the White House's New App— The app has a cookie/paywall bypass injector, tracks your GPS every 4.5 minutes, and loads JavaScript from some guy's GitHub Pages.
::: spoiler Social Media
- Lobsters;
- Hacker News;
- Reddit. :::
What Is This App?
It's a React Native app built with Expo (SDK 54), running on the Hermes JavaScript engine. The backend is WordPress with a custom REST API. The app was built by an entity called "forty-five-press" according to the Expo config.
https://blog.thereallo.dev/blog/decompiling-the-white-house-appOpen linkView original on lemmus.org551
Comments62
It's good information about how bad the app really is. People should not dismiss the information because of the crappy website complaints.
It seems like it's only crappy on mobile, no isues on desktop here.
same, worked fine in Firefox on linux, with no-script and uBlock
Omg, another person who’s crazy enough to run noscript still, I thought I was the only one.
I run no script on both Firefox desktop and mobile. I'd much rather have to approve things to run, than have them run by default.
What's wrong with no-script? I've been running it for years. It's a lifesaver.
If one has it set to default-deny Javascript, a lot of websites don't work, because many web developers don't develop websites that work without Javascript today.
Historically, websites did a better job of falling back.
There's dozens of us. Works great on mobile with NoScript, although the source code snippets don't load. Since the article describes what they do anyway it's still readable without them, and the excellent performance is worth leaving JS blocked.
I'm on my Pixel 9a and had zero problems with scrolling.
It works perfectly on mobile (Pixel 7) for me.
It's really hard not to dismiss when having a seizure for just trying to read it.
I really wanted to read.
What happened? Apparently my crappy browser handled something for me.
It's laggy as hell on my mobile phone. And it's not a bad/cheap model.
The site is basically whitevtext on black background and some colored code snips.
It should scroll smooth on 1980's Casio watch.
Weird. I have a "cheap" device on the legacy list, and apart from mild latency and general ugliness, I had no issues.
I'm on an S24 with Firefox. Wonder what's causing the issues, it loads just fine and scrolls fine on my end.
Here you go, since we don't want to trigger any seizures! https://sh.itjust.works/post/57582014
It's displaying from me through my piefed app. Only weird bit was the trippy fold up of the title as you scrolled down but that happens once
Yeah. As soon as the transparent title hit the top, it started to stutter. Like 2 fps.
I use Fennec on A54 (8Gb). It just does not seem right to be so laggy/stuttery as the content is merely text. How bad can the code rendering the content be?
I have never accomplished such a site.
And it really can't be due to device and browser. Many others on different setup have stated the same.
Visually similar site should run on moldy potato.
I can't say anything about the content of this blog. It was horribly laggy to scroll on mobile device. And by horribly laggy, I mean like aunt's 1986 vacation slide show on a projector while having dry cookies and tasteless off brand earl grey.
I'm sorry if it sounds rude but I had to bring this on out in the open. What even runs under the hood on that blog..
It's a bit funny that it's completely at odds with how they describe their goals (emphasis mine):
I didn't have any problem on my Android phone
It wasn't horribly laggy on my Pixel but it definitely was less performant than a page like this should be.
Holy shit, i thought i was gonna have a seizure first time i scrolled
Like its locked to 10fps
Even if the effect didn't lag, there's almost no added benefit to it. The title is cut off, and the description is even worse.
If the author wanted to, they could have done something like this with no scripts, minimum effort, and probably zero lag.
(If OP's website chugged for you, I'm curious whether this demo is seamlessly smooth. It is for me.)
Smooth as cub's fur.
Strangely enough, for me both blog post an demo didn't lag, but the transparent sticky title did look bad
Worked fine for me, but I block ads and trackers on my home network so that probably helped.
I had no issues, and I am on a cheap boomer phone that installs games without permission every so often.
Yea for me too, it appears to be something we the title header following your scroll. It's super smooth just until it tries to pin it to the top.
Reader mode works until I realised that they did explain the pictures, so just referenced text I didn't see.
runs perfectly fine on my laptop with firefox
Not a performance problem.My guess is, they (poorly) emulate native scrolling via JSon mobile. Probably for some progress feature or something.JS disabled, scrolling works. Though it was only slightly laggy for me.
Unfortunately all of the code blocks are loaded after-the-fact with JS for some asinine reason (highlighting I'd understand... but why the actual text?), so disabling JS also disables all the code snippets on the page.
That's why dynamic loading sucks.
Definitely a performance problem, no HW acceleration on PC produces the same insanely stuttery scroll.
I fell down a wild rabbit hole.
I don't think I'll continue on. There's clearly a lot going on here and it is not looking good. Edit: I lied. But this is the end for me:
Not good.
Which begs the question of if the Trump admin will give up the app and allow it to be archived, considering it's using the gov.whitehouse.app app id or if they'll keep it and pretend to be the White House (in which case will Apple and Google step in and pull it from App Stores).
Just updated the post. If Petty and Xsponse are involved, and they use CSC, I don't think they care about the appid issue because it's possible they control the entire internet infrastructure stack anyway. But that's only an if.
Anyone have any idea who the devs are? According to the owner tag in the code, it's: https://devfortyfive.com/ but there's no information on the people behind it.
Most transparent administration! /s
Yeah, having the real people behind it hidden is basically the norm for Trump admin.
Probably an openclaw server attached to Don Jr’s bank account.
Some guy in Utah, apparently. The company was registered on the 18th of March.
Via Utah Division of Corporations and Commercial Code Business Registration search which did not allow a direct link to individual results.
So according to that, the company's address (both physical and mailing) is 3739 E Sandstone Way, Washington, UT, 84780-1952.
(from https://maps.app.goo.gl/q48YJf3XndfY5Ges8)
...yeah, honestly that's about what I expected.
It's a rental. I'm wondering if it's not basically a front. The guy listed is a
22 year old(edit: age is maybe not the same guy) "head of engineering" for a company owned/run by Blue Rocket Incorporated, which seems to typically be a parent company to a lot of places.Lmao what even is that stupid-ass useless lawn.
So...to be clear, this was formed just prior to the release of the app, and almost certainly the app was being developed by this person/group before then.
Sure would be good to know what public funds were used to pay for this app (I assume too much), and whether there was a bidding process (I assume there wasn't), and whether this person is someone the decision-maker already had some relationship/connection to (I assume that was the case).
Because regardless of the public value of a tracking & propaganda window favoring one party (none), it would be completely shocking, just totally unheard of, if this was a corrupt overpayment and misuse of public funds to pay for substandard work to personal and political connections.
I mean, we didn't just see this happen with Noem or anything.
Or maybe it was vibe coded in one day
Judging by the fact that tabs in the app go to webpages… seems like not much was probably spent in developing it.
Probably actually 45 Press, they've been around a while
https://45press.com/
Just 3 down from this post in my feed.
Btw, this site has no business doing (laggy) scrolling via JS on a fucking blog.
No JavaScript for you.
AI vibe coded slop.
Pretty much exactly what I expected.
That doesn't seem right. You would still need the compromised CA cert to be installed on your device. This isn't going to be a problem when connecting to a public Wifi.
The rest of the article is bonkers, though. Classic corporate data-grab app, and then some.
Ten years ago when businesses really needed to offer wifi (train for example) they thought "hey we would like to have something in return!". I got offered a new ca a couple of times in the captive portal.
Yeah, not best practice but not unheard of.
The user tracking is dodgy, yes but i can see it happening in any business where developers are clueless yes men.
As for pay wall countermesures I can see how some person in Trump org not being happy about the links in the app being pay walled and asked the dev to remove the popups which they did without question.
The app is made by an entity called “forty-five-press” and the version number is 47.0.1.
I like how they did not stay with v47 and added a patch 🤣
ELI5?
Likely nothing illegal. Quite a bit of bad dev habits. Some concerning security fuck ups, including pulling in JavaScript from a server they don’t control. Injecting JavaScript to subvert cookie/gdpr/login/etc popups on third party sites.
Just generally bad things to do, especially in a government provided app.