Looks like what you might expect in a standard marketing app from a consultancy. They probably hired someone to develop it, that shop used their standard app architecure which includes location tracking code and the other stuff.
If only the US Digital Service still existed as an agency to do this right. Too bad it's now been hollowed out to be DOGE, subject to multiple active lawsuits.
The location tracking code is within the OneSignal SDK - which is just a standard messaging platform for sending emails/push messages to users. It doesn't have some magical permissions bypass, the app itself has to request it.
And r8 which does tree shaking to remove dead code is not smart enough to understand react native so it won't strip it out without extra work from the developer.
Cross referencing these different things in the article to other apps that exist was my first thought as these seem pretty generic and probably reused from somewhere else.
The Polish covid quarantine app was famously adapted from some app for store inspectors or something, as it already implemented most of the required functionalities, like asking for photos via push at random times, sending them along with a location etc.
They likely did a search-and-replace on the brand name, so you had strings like 'your invoices from Home Quarantine inc' in the code.
Not a bad thing per se, getting the app out the door asap was definitely a priority in that project for understandable reasons, but funny nonetheless.
I think its cost over $5mm at this point, and the website doesn't exist. Oh, the company that built the site is owned by, I think the spouse of a council member, or something of that ilk.
Has the Hatch Act ever been enforced? Every administration in the last 20+ years have had people violate it but as far as I can tell nobody has been found guilty.
But snark aside, the next elections will be decided around damage control. Yes, the old school dems are pretty spineless (corrupt) but i guess even they feel the temptation of revenge and taking out political opponents for good. I really hope the new generation of democrats succeeds and breaks the corruption ties.
Thank you for understanding. I'm pointing things like Obama "looking forward not backward" and not punishing Bush, Cheney, Ashcroft, Condi, etc for war crimes and illegal warmongering which leads directly to today's current illegal Iran invasion.
We will need actual punishments for everyone who illegally defunded (or funded) programs, got us into the Iran invasion, embezzled and lined their pockets with corruption etc etc etc.
> Hatch Act won't be enforced until the next administration and next DOJ.
How did that last administration's dwelling on persecuting the one before it turn out?
While I don't like the current one and certainly agree that some of its actions are totally unethical, once it's over can we just move on and look forward, not back?
The only possible way this country has a future is if crime is actually punished. If the members of this current administration who committed criminal acts do not actually suffer the consequences then what is to stop the next one?
Without consequences for illegal behaviour, there's no incentive for bad actors to not continue acting bad. This, in no small part, explains why we are where we are today - a misplaced attempt to 'move forward' by ignoring illegal actions.
Without holding those who do wrong to account, positive movement will always be dogged or straight-up negated by those who do wrong without facing justice.
That'll only work here if there are reforms to the pardon power while we're at it. Any convictions a Democratic administration manages to obtain will be pardoned the next time a Republican gets in.
What do you mean by dodgy meds? These are just the normal meds you can get at any pharmacy. They also aren't even peddling them. They just link to pharmacies or provide discount codes.
You’ll sell it if you sell your company (as per your privacy policy).[1]
We may disclose or transfer your personal information in connection with, or during negotiations of, any acquisition of our business, financing or similar transaction.
If you wouldn’t sell it, period, then I’d suggest amending your privacy policy to include irrevocable deletion of customer data at the point your company is sold to a buyer.
Great question, however the important point here is that the company makes the claim they will not sell user data. "Period." So the company implies that if they are sold they will be sold with no user data
I believe the problem is not doing this, but the text in the policy is misleading, since users would believe their data would never be shared with anyone outside of the company itself _unconditionally_, which is not true (if only by technicality), the data can be sold as part of the company.
The onesignal domain is on the IPFire Domain Blocklist
Found 1 list exactly matching 'onesignal.com':
- https://dbl.ipfire.org/lists/ads/domains.txt
block list
added: 2026-02-13 15:00:20
last modified: 2026-02-13 15:00:20
last updated: 2026-03-29 04:02:16 (126.625 domains)
enabled, used in 1 group
comment: "IPFire Advertising"
matching entries:
- onesignal.com
Scrolling is extremely poorly behaved on that page for me too, Firefox 149 Windows 10. Which is quite ironic coming from an article that mainly criticizes the web dev aspects of the app!
The argument regarding no certificate pinning seems to miss that just because I might be on a network that MITM's TLS traffic doesn't mean my device trusts the random CA used by the proxy. I'd just get a TLS error, right?
Not if someone can issue the certificate signed by the CA your phone trust.
Imagine being in a cafe nearby, say, embassy of the certain north African country known for pervasive and wide espionage actions, which decides to hijack traffic in this cafe.
Or imagine living in the country where almost all of the cabinet is literally (officially) being paid by the propaganda/lobbying body of such country.
Or living int he country where lawful surveillance can happen without the jury signoff, but at a while of any police officer.
> Imagine being in a cafe nearby, say, embassy of the certain north African country known for pervasive and wide espionage actions, which decides to hijack traffic in this cafe.
How would they get your phone to trust their CA? Connecting to a Wi-Fi network doesn’t change which CAs a device trusts.
Because there is a quadrillion trusted CAs in every device you might use. A good chunk of these CAs have been compromised at one point or another, and rogue certificates are sold in the dark market. Also any goverment can coerce a domiciled CA to issue certs for their needs.
All modern browsers require certificates to be published in the certificate transparency logs in order to be considered valid.
These are monitored, things do get noticed[0], and things like this can and have lead to CAs being distrusted.
It's not foolproof, and it's reactive rather than proactive... but in general, this is unlikely to be happening on major sites or at any significant scale.
I'd wholeheartedly recommend people taking some time and reading through the CA Compliance issues on Bugzilla. The entire CA program there, in my opinion, does a fantastic and largely thankless job of keeping this whole thing on the rails. It's one of the few things I can say I had _more_ trust in the more I looked into it.
China telecom regularly has BGP announcements that conflict with level3's ASNs.
Just as a hint in case you want to dig more into the topic, RIR data is publicly available, so you can verify yourself who the offenders are.
Also check out the Geedge leaked source code, which also implements TLS overrides and inspection on a country scale. A lot of countries are customers of Geedge's tech stack, especially in the Middle East.
Just sayin' it's more common than you're willing to acknowledge.
Well yes, CAs and the ICANN model of DNS are intertwined and fundamentally broken in multiple ways. However the system as a whole is largely "good enough" as can be seen from its broad success under highly adversarial conditions in the real world.
This is stopped by certificate transparency logs. Your software should refuse to accept a certificate which hasn’t been logged in the transparency logs, and if a rogue CA issues a fraudulent certificate, it will be detected.
A bit skeptical of how this article is written as it seems to be mostly written by AI. Out of curiosity, I downloaded the app and it doesn't request location permissions anywhere, despite the claims in the article.
I've noticed Claude Code is happy to decompile APKs for you but isn't very good at doing reachability analysis or figuring out complex control flows. It will treat completely dead code as important as a commonly invoked function.
An official United States government app is injecting CSS and JavaScript into third-party websites to strip away their cookie consent dialogs, GDPR banners, login gates, and paywalls.
So at least it does something actually beneficial for the user! I wish it could go even further, the way Reader Mode in a browser would go.
> That's a personal GitHub Pages site. If the lonelycpp GitHub account gets compromised, whoever controls it can serve arbitrary HTML and JavaScript to every user of this app, executing inside the WebView context.
I was promised a meritocracy and non stop winning. When do those begin?
> The official White House Android app has a cookie/paywall bypass injector, tracks your GPS every 4.5 minutes (9.5m when in background), and loads JavaScript from some guy's GitHub Pages (“lonelycpp” is acct, loads iframe viewer page).
Doesn’t seem too crazy for a generic react native app but of course coming from the official US government, it’s pretty wide open to supply chain attacks. Oh and no one should be continually giving the government their location. Pretty crazy that the official government is injecting JavaScript into web views to override the cookie banners and consent forms - it is often part of providing legal consent to the website TOS. But legal consent is not their strong suit I guess.
> An official United States government app is injecting CSS and JavaScript into third-party websites to strip away their cookie consent dialogs, GDPR banners, login gates, and paywalls.
Giving people a taste of web with Ublock Origin annoyance filters applied, refreshing. Can’t believe orange man regime is doing one thing right.
> An official United States government app is injecting CSS and JavaScript into third-party websites to strip away their cookie consent dialogs, GDPR banners, login gates, and paywalls.
Rare Trump administration W. I'm assuming there's one particular website they open in the app that shows a cookie popup, and this was a dev's heavy-handed way of making that go away.
> An official United States government app is injecting CSS and JavaScript into third-party websites to strip away their cookie consent dialogs, GDPR banners, login gates, and paywalls.
I wouldn't run a non-free government app on my phone, but this seems a positive. It's basically what uBlock does.
"An official United States government app is injecting CSS and JavaScript into third-party websites to strip away their cookie consent dialogs, GDPR banners, login gates, and paywalls."
In their defense, this is the first thing the Trump admin has done that's unambiguously positive for ordinary people.
259 comments
What are your taxes paying for?
https://en.wikipedia.org/wiki/United_States_Digital_Service
edit: oh wait, thats https://ndstudio.gov/
Cross referencing these different things in the article to other apps that exist was my first thought as these seem pretty generic and probably reused from somewhere else.
They likely did a search-and-replace on the brand name, so you had strings like 'your invoices from Home Quarantine inc' in the code.
Not a bad thing per se, getting the app out the door asap was definitely a priority in that project for understandable reasons, but funny nonetheless.
I think its cost over $5mm at this point, and the website doesn't exist. Oh, the company that built the site is owned by, I think the spouse of a council member, or something of that ilk.
Edit: 2.2mm, initial bid of 300k.
But snark aside, the next elections will be decided around damage control. Yes, the old school dems are pretty spineless (corrupt) but i guess even they feel the temptation of revenge and taking out political opponents for good. I really hope the new generation of democrats succeeds and breaks the corruption ties.
We will need actual punishments for everyone who illegally defunded (or funded) programs, got us into the Iran invasion, embezzled and lined their pockets with corruption etc etc etc.
> Hatch Act won't be enforced until the next administration and next DOJ.
How did that last administration's dwelling on persecuting the one before it turn out?
While I don't like the current one and certainly agree that some of its actions are totally unethical, once it's over can we just move on and look forward, not back?
Without consequences for illegal behaviour, there's no incentive for bad actors to not continue acting bad. This, in no small part, explains why we are where we are today - a misplaced attempt to 'move forward' by ignoring illegal actions.
More than prosecution we need politicians elected who are willing to reform. Even if those reforms reduce their power as well
Prosecute, and get rid of the loopholes that made it necessary to do so.
> How did that last administration's dwelling on persecuting the one before it turn out?
They were way too slow about it.
I hope the next one is faster.
For those concerned or curious about location data collection, we wrote an explanation of how it works: https://onesignal.com/blog/youre-in-control-how-location-act...
You’ll sell it if you sell your company (as per your privacy policy).[1]
We may disclose or transfer your personal information in connection with, or during negotiations of, any acquisition of our business, financing or similar transaction.
If you wouldn’t sell it, period, then I’d suggest amending your privacy policy to include irrevocable deletion of customer data at the point your company is sold to a buyer.
[1] https://onesignal.com/privacy_policy
Found 1 list exactly matching 'onesignal.com':
Firefox 148.0.2 (Build #2016148295), 15542f265e9eb232f80e52c0966300225d0b1cb7 GV: 148.0.2-20260309125808 AS: 148.0.1 OS: Android 14
> chrome on a thinkpad
This is akin to saying "browser on a computer". Need to be more specific.
Imagine being in a cafe nearby, say, embassy of the certain north African country known for pervasive and wide espionage actions, which decides to hijack traffic in this cafe.
Or imagine living in the country where almost all of the cabinet is literally (officially) being paid by the propaganda/lobbying body of such country.
Or living int he country where lawful surveillance can happen without the jury signoff, but at a while of any police officer.
Maybe its not common but frequent enough.
> Imagine being in a cafe nearby, say, embassy of the certain north African country known for pervasive and wide espionage actions, which decides to hijack traffic in this cafe.
How would they get your phone to trust their CA? Connecting to a Wi-Fi network doesn’t change which CAs a device trusts.
https://www.eff.org/deeplinks/2011/08/iranian-man-middle-att...
https://support.apple.com/en-us/126047
The chances of zero of these CAs having been compromised by state-level actors seems… slim.
Do you trust "Hongkong Post Root CA 3" not to fuck with things?
Your link's from 2011; the US government was still in the trusted list until 2018. https://www.idmanagement.gov/implement/announcements/04_appl...
These are monitored, things do get noticed[0], and things like this can and have lead to CAs being distrusted.
It's not foolproof, and it's reactive rather than proactive... but in general, this is unlikely to be happening on major sites or at any significant scale.
I'd wholeheartedly recommend people taking some time and reading through the CA Compliance issues on Bugzilla. The entire CA program there, in my opinion, does a fantastic and largely thankless job of keeping this whole thing on the rails. It's one of the few things I can say I had _more_ trust in the more I looked into it.
[0]: https://bugzilla.mozilla.org/show_bug.cgi?id=1934361
> It's not foolproof, and it's reactive rather than proactive…
This just means you keep your powder dry until it's needed.
> That is a wild claim
China telecom regularly has BGP announcements that conflict with level3's ASNs.
Just as a hint in case you want to dig more into the topic, RIR data is publicly available, so you can verify yourself who the offenders are.
Also check out the Geedge leaked source code, which also implements TLS overrides and inspection on a country scale. A lot of countries are customers of Geedge's tech stack, especially in the Middle East.
Just sayin' it's more common than you're willing to acknowledge.
https (specifically the CA chain of trust) is imperfect, and can be compromised by well-placed parties.
I've noticed Claude Code is happy to decompile APKs for you but isn't very good at doing reachability analysis or figuring out complex control flows. It will treat completely dead code as important as a commonly invoked function.
Reader mode was the only thing that made it readable.
>
An official United States government app is injecting CSS and JavaScript into third-party websites to strip away their cookie consent dialogs, GDPR banners, login gates, and paywalls.So at least it does something actually beneficial for the user! I wish it could go even further, the way Reader Mode in a browser would go.
> That's a personal GitHub Pages site. If the lonelycpp GitHub account gets compromised, whoever controls it can serve arbitrary HTML and JavaScript to every user of this app, executing inside the WebView context.
I was promised a meritocracy and non stop winning. When do those begin?
> The official White House Android app has a cookie/paywall bypass injector, tracks your GPS every 4.5 minutes (9.5m when in background), and loads JavaScript from some guy's GitHub Pages (“lonelycpp” is acct, loads iframe viewer page).
Doesn’t seem too crazy for a generic react native app but of course coming from the official US government, it’s pretty wide open to supply chain attacks. Oh and no one should be continually giving the government their location. Pretty crazy that the official government is injecting JavaScript into web views to override the cookie banners and consent forms - it is often part of providing legal consent to the website TOS. But legal consent is not their strong suit I guess.
> An official United States government app is injecting CSS and JavaScript into third-party websites to strip away their cookie consent dialogs, GDPR banners, login gates, and paywalls.
Giving people a taste of web with Ublock Origin annoyance filters applied, refreshing. Can’t believe orange man regime is doing one thing right.
And the location… well, if one day they need you, they’ll sure be glad they know your each steps and current location .
It’s not a bug, it’s a feature.
> An official United States government app is injecting CSS and JavaScript into third-party websites to strip away their cookie consent dialogs, GDPR banners, login gates, and paywalls.
Rare Trump administration W. I'm assuming there's one particular website they open in the app that shows a cookie popup, and this was a dev's heavy-handed way of making that go away.
> An official United States government app is injecting CSS and JavaScript into third-party websites to strip away their cookie consent dialogs, GDPR banners, login gates, and paywalls.
I wouldn't run a non-free government app on my phone, but this seems a positive. It's basically what uBlock does.
In their defense, this is the first thing the Trump admin has done that's unambiguously positive for ordinary people.