I've noticed Claude Code is happy to decompile APKs for you but isn't very good at doing reachability analysis or figuring out complex control flows. It will treat completely dead code as important as a commonly invoked function.
I'd verify all this stuff for myself, but Play won't install it in my phone so I can't really get the APK. Maybe because I use Graphene...? but I don't know all the ways they can restrict it, maybe it's something else (though for a pixel 9a it's rather strange if it's hardware based).
--- EDIT ---
To be specific / add what I can check, this is what my Play Store "about -> permissions" is showing:
Version 47.0.1 may request access to
Other:
run at startup
Google Play license check
view network connections
prevent phone from sleeping
show notifications
com.google.android.c2dm.permission.RECEIVE
control vibration
have full network access
The article does not claim the app requests the location. It claims it can do it with a single JS call.
so can ... any other code anywhere on a mobile device? That is how API work...
Is there something in particular that made you conclude that or are you going just with how it felt?
For what it's worth, it didn't seem to me.
from the iphone app store: version 47.0.1 - minor bug fixes - 34 minutes ago
while the parent posted 18 minutes ago
they may have patched the location stuff as part of the “minor bug fixes”?
No location permission request prompting encountered. In system settings, where each app requesting location data is listed, it isn't present either.
So it could come across a manifest that includes location permissions and some code that would (if enabled) send location, but it might do a bad job properly tracing
Ad-HomineLLM is a logical fallacy IMO and adds little value. I would hope eventually HN and other sites add this to the guidelines similar to other claims like vote manipulation etc.
HN doesn’t have guidelines against anti-LLM rhetoric, but it does for LLM-generated comments.
> Don't post generated comments or AI-edited comments. HN is for conversation between humans.
What are your taxes paying for?
edit: oh wait, thats https://ndstudio.gov/
Cross referencing these different things in the article to other apps that exist was my first thought as these seem pretty generic and probably reused from somewhere else.
They likely did a search-and-replace on the brand name, so you had strings like 'your invoices from Home Quarantine inc' in the code.
Not a bad thing per se, getting the app out the door asap was definitely a priority in that project for understandable reasons, but funny nonetheless.
I think its cost over $5mm at this point, and the website doesn't exist. Oh, the company that built the site is owned by, I think the spouse of a council member, or something of that ilk.
Edit: 2.2mm, initial bid of 300k.
"Visit TrumpRx.gov"
Did you find something malicious in the random GitHub repo? If so, you should write an article about that instead.
there are several corpo open source ai apps that have rce built in.
to cut a long story short they pull their config from the developer's server on startup. that config has user level permissions giving rce.
some have no rce but get remote executed exfiltration of all the prompts. the app pulls its posthog config on startup and can just take all the keyboard inputs.
submit a disclosure and they do nothing or accuse of 'ai slop reports' despite being vibe coded themselves
Imagine they're downloading a project directly from your GitHub account. Even if you're not doing anything malicious and have no intention of doing anything malicious even after you've been aware of this, now all of a sudden your GitHub account / email is a huge target for anyone that wants to do something malicious.
I'm well aware of supply chain attacks. But this isn't a supply chain attack. If it were, the article would be way more interesting.
The supply chain attack articles are interesting exactly because this is so common. So what's special here other than it being loosely related to a disliked political figure? HN isn't supposed to be an especially political website.
"A common app is doing the same thing that basically every other app is doing."
Is that a good headline? No. And this isn't a good article.
The DoD has been hacked countless times, by children even. I wouldn't doubt if we decompiled most government apps we'd find this same vector in many of them.
It seems like this vector is only recently a hot topic. And decades of doing things wrong won't be patched and habits broken in short time. It will take a few years to get the majority of it, and decades after that to get the next majority, and so on.
This is bad for security.
Firefox 148.0.2 (Build #2016148295), 15542f265e9eb232f80e52c0966300225d0b1cb7 GV: 148.0.2-20260309125808 AS: 148.0.1 OS: Android 14
This is akin to saying "browser on a computer". Need to be more specific.
Imagine being in a cafe nearby, say, embassy of the certain north African country known for pervasive and wide espionage actions, which decides to hijack traffic in this cafe.
Or imagine living in the country where almost all of the cabinet is literally (officially) being paid by the propaganda/lobbying body of such country.
Or living int he country where lawful surveillance can happen without the jury signoff, but at a while of any police officer.
Maybe its not common but frequent enough.
How would they get your phone to trust their CA? Connecting to a Wi-Fi network doesn’t change which CAs a device trusts.
For those concerned or curious about location data collection, we wrote an explanation of how it works: https://onesignal.com/blog/youre-in-control-how-location-act...
You’ll sell it if you sell your company (as per your privacy policy).[1]
We may disclose or transfer your personal information in connection with, or during negotiations of, any acquisition of our business, financing or similar transaction.
If you wouldn’t sell it, period, then I’d suggest amending your privacy policy to include irrevocable deletion of customer data at the point your company is sold to a buyer.
Found 1 list exactly matching 'onesignal.com':
- https://dbl.ipfire.org/lists/ads/domains.txt
block list
added: 2026-02-13 15:00:20
last modified: 2026-02-13 15:00:20
last updated: 2026-03-29 04:02:16 (126.625 domains)
enabled, used in 1 group
comment: "IPFire Advertising"
matching entries:
- onesignal.comIn their defense, this is the first thing the Trump admin has done that's unambiguously positive for ordinary people.
I'd love it somehow taken out of it and made available for the general public. Custom uBlock / Adblock filers will be probably the easiest.
Let me know when this can ignore malware/adware from US companies then I'll give accolades.
I am sure if you decompile other apps used by hundreds of thousands of people, you would find all sorts of tracking in there.
Thanks for helping the White House improve their app security for free though.
You'd be surprised how many apps inside have hacks and workarounds because deadlines.
You load arbitrary JS from a random GitHub user's NPM package. What's the difference?
Doesn’t seem too crazy for a generic react native app but of course coming from the official US government, it’s pretty wide open to supply chain attacks. Oh and no one should be continually giving the government their location. Pretty crazy that the official government is injecting JavaScript into web views to override the cookie banners and consent forms - it is often part of providing legal consent to the website TOS. But legal consent is not their strong suit I guess.
I wouldn't run a non-free government app on my phone, but this seems a positive. It's basically what uBlock does.
Reader mode was the only thing that made it readable.
So at least it does something actually beneficial for the user! I wish it could go even further, the way Reader Mode in a browser would go.
To mix the metaphors further, they (the politicians and their supporters) fancy themselves the kind to dream of things that never were and ask why not. Why not have a war in Iran? You won't know until you give it a try.
I was promised a meritocracy and non stop winning. When do those begin?
Giving people a taste of web with Ublock Origin annoyance filters applied, refreshing. Can’t believe orange man regime is doing one thing right.
And the location… well, if one day they need you, they’ll sure be glad they know your each steps and current location .
It’s not a bug, it’s a feature.
Rare Trump administration W. I'm assuming there's one particular website they open in the app that shows a cookie popup, and this was a dev's heavy-handed way of making that go away.