This is an interesting, if occasionally alarmist, security analysis from atomic.computer of the White House’s new flagship application.
The major findings:
Finding 1: A Russian-Origin Company Executes Live JavaScript Inside the App (Six Times)
Finding 2: GPS Tracking With No Feature Justification
Finding 3: The Privacy Manifest Is Provably False
Finding 4: OneSignal Can Remotely Toggle Location Tracking and Privacy Consent
Finding 5: The App Strips Privacy Consent Banners
Finding 6: Minimal Security Hardening
Finding 7: Dormant Over-the-Air Code Push
Finding 8: Full Behavioral Intelligence Pipeline
Finding 1 is an absolute embarrassment. Shoddy workmanship of the highest order.
Finding 2 has an important caveat:
Whether this code path is actively enabled at runtime would require network traffic analysis, but the capability is compiled into the app and the always-on location permission is requested.
You shouldn’t be surprised to know that I’m not going to install the app to find out if a location permission prompt is actually presented. So I’ll generously give the benefit of the doubt.
Finding 3 is either a manifest lie or an egregious oversight from the developers. Regardless, how it got through App Review is what puzzles me. There are SDKs in the White House app that require a manifest. It’s astounding to me that Singapore Buses has a more robust Privacy Manifest simply by declaring the use of UserDefaults.
Finding 4 is technically misleading:
These are standard OneSignal SDK features, but the implication is significant: OneSignal’s servers can remotely enable or disable GPS tracking and change whether privacy consent is required, all without an app update, without Apple review, without the user knowing. It’s a light switch for location tracking, and it’s not in the White House’s hands.
OneSignal, published yesterday:
For location to be active in any app using our platform, two separate things must happen, both of which are outside of OneSignal’s control:
-
The developer must explicitly enable it. […]
-
The user must grant permission at the operating system level. […]
Finding 5 is unforgivable. (Ironically, it probably makes websites easier to use as I’m quite sick of the cookie consent banners.)
I’ve recently spent a lot of time working on many of the security control issues listed in Finding 6 for Gobbler. Again, it’s not surprising that the White House app ships with such a lax security posture.
Finding 7 isn’t much of a finding. Something exists but isn’t turned on.
Finding 8 isn’t much of a finding, either. This is just what OneSignal does.
My problem with this app is one of trust. And, to be clear, that problem of trust lies with Apple. They have a web of guidelines that should have prevented this app from ever being released. They’ve pitched their brand on user privacy and routinely bust smaller developers for not having just the right entry in their Privacy Manifest.
And yet, here we are, with a White House app that doesn’t declare anything with regards to its data capture practices.
To whom and when do App Review Guidelines apply?