this post was submitted on 28 Mar 2026
514 points (98.5% liked)

Technology

83150 readers
3576 users here now

This is a most excellent place for technology news and articles.

Our Rules

  1. Follow the lemmy.world rules.
  2. Only tech related news or articles.
  3. Be excellent to each other!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, this includes using AI responses and summaries. To ask if your bot can be added please contact a mod.
  9. Check for duplicates before posting, duplicates may be removed
  10. Accounts 7 days and younger will have their posts automatically removed.

Approved Bots

founded 2 years ago
MODERATORS
L3s@lemmy.world
enu@lemmy.world
technopagan@lemmy.world
L4s@lemmy.world
L3s@hackingne.ws
514
I Decompiled the White House's New App— The app has a cookie/paywall bypass injector, tracks your GPS every 4.5 minutes, and loads JavaScript from some guy's GitHub Pages. (blog.thereallo.dev)
submitted 1 day ago* (last edited 8 hours ago) by Beep@lemmus.org to c/technology@lemmy.world
60 comments fedilink hide all child comments
 

Social Media

What Is This App?

It's a React Native app built with Expo (SDK 54), running on the Hermes JavaScript engine. The backend is WordPress with a custom REST API. The app was built by an entity called "forty-five-press" according to the Expo config.

top 50 comments
sorted by: hot top controversial new old
[–] Fmstrat@lemmy.world 7 points 5 hours ago (1 children)

The app uses standard Android TrustManager for SSL with no custom certificate pinning. If you're on a network with a compromised CA (corporate proxies, public wifi with MITM, etc.), traffic between the app and its backends can be intercepted and read.

That doesn't seem right. You would still need the compromised CA cert to be installed on your device. This isn't going to be a problem when connecting to a public Wifi.

The rest of the article is bonkers, though. Classic corporate data-grab app, and then some.

[–] prenatal_confusion@feddit.org 3 points 5 hours ago

Ten years ago when businesses really needed to offer wifi (train for example) they thought "hey we would like to have something in return!". I got offered a new ca a couple of times in the captive portal.

Yeah, not best practice but not unheard of.

[–] fiat_lux@lemmy.world 43 points 12 hours ago* (last edited 11 hours ago) (1 children)

I fell down a wild rabbit hole.

  • Dev Forty Five LLC was created 2 weeks ago and lists Ty Nielson as the registered agent
  • Ty Nielson is listed and at some point was described on LinkedIn as the Head of Engineering at Gemini (not the Google product) with location in St George, UT. Gemini lists an office in Ogden, UT on linkedin.
  • His employment history says he started as a software engineer, but he may not be the head of engineering. I'm unsure if he lives in Utah at all. He did ask how to do authentication in a React Native app properly in stack overflow 7 months ago. Not a great sign.
  • Gemini is a product of Blue Rocket, inc. and the primary address for both companies is listed as a thinkspace in Redmond, WA.
  • Blue Rocket Inc. also has an office in Ogden Utah and one in West Palm Beach, Florida according to its linkedin - but withdrew their business registration in FL years ago
  • A previous (?) head of product for Gemini and/or Blue Rocket is/was Ryan Petty, who was part of a Federal Commission on School Safety roundtable at the White House with Trump, and DeSantis made him the Chair of the Florida State Board of Education
  • Jason Kap owns Blue Rocket inc. and was put on the board of Claritev last year, which is now a defendant in an antitrust lawsuit for conspiring with major health insurers to fix prices. The DoJ is currently siding against Claritev
  • Jason Kap used to work at Microsoft, MS is also in Redmond WA.
  • Kap may live or still have properties in Redmond WA, Belmont MA, Ogden Utah, and possibly others - through shell companies technically owned by his family, such as Player 85 LLC, for which he is an authorised agent
  • Kap may have been an LDS bishop in Redmond during a case where the LDS leadership was accused of covering up child molestation by a former Microsoft employee, Buckland Darrell, who was sentenced again a few weeks ago
  • According to floodlit there were victims in both Hartman Park Ward, Redmond and Sammamish Valley Washington.
  • The registered agent listed for Blue Rocket and Gemini in WA is Kap's wife, with a Redmond WA address matching the charity "Sammamish Trails Youth".

I don't think I'll continue on. There's clearly a lot going on here and it is not looking good. Edit: I lied. But this is the end for me:

  • Ryan Petty is currently the Chief Product Officer at XSponse
  • Xsponse "is a comprehensive AI security ecosystem committed to enhancing detection, alerting, and mass notification." It lists a Florida virtual office as it address but it's registered in Delaware via Corporation Service Company.
  • Corporation Service Company, specialises in being a DE address for companies to claim DE tax residency, and as separate services will act as an ICANN registrar, manage and deploy TLDs and do monitoring and enforcement as "brand protection". Amongst many other things they do.

Not good.

[–] webkitten@piefed.social 7 points 11 hours ago (1 children)

Which begs the question of if the Trump admin will give up the app and allow it to be archived, considering it's using the gov.whitehouse.app app id or if they'll keep it and pretend to be the White House (in which case will Apple and Google step in and pull it from App Stores).

[–] fiat_lux@lemmy.world 2 points 11 hours ago* (last edited 11 hours ago)

Just updated the post. If Petty and Xsponse are involved, and they use CSC, I don't think they care about the appid issue because it's possible they control the entire internet infrastructure stack anyway. But that's only an if.

[–] Michal@programming.dev 4 points 7 hours ago (1 children)

The user tracking is dodgy, yes but i can see it happening in any business where developers are clueless yes men.

As for pay wall countermesures I can see how some person in Trump org not being happy about the links in the app being pay walled and asked the dev to remove the popups which they did without question.

[–] W3dd1e@lemmy.zip 2 points 5 hours ago

developers are clueless yes men

The app is made by an entity called “forty-five-press” and the version number is 47.0.1.

[–] RememberTheApollo_@lemmy.world 19 points 17 hours ago

Just 3 down from this post in my feed.

[–] Maeve@kbin.earth 139 points 1 day ago (2 children)

It's good information about how bad the app really is. People should not dismiss the information because of the crappy website complaints.

[–] SnotFlickerman@lemmy.blahaj.zone 27 points 1 day ago (3 children)

It seems like it's only crappy on mobile, no isues on desktop here.

[–] thisbenzingring@lemmy.today 18 points 1 day ago (1 children)

same, worked fine in Firefox on linux, with no-script and uBlock

[–] LadyMeow@lemmy.blahaj.zone 23 points 1 day ago (3 children)

Omg, another person who’s crazy enough to run noscript still, I thought I was the only one.

[–] pentastarm@piefed.ca 23 points 1 day ago

I run no script on both Firefox desktop and mobile. I'd much rather have to approve things to run, than have them run by default.

[–] chaogomu@lemmy.world 19 points 1 day ago (1 children)

What's wrong with no-script? I've been running it for years. It's a lifesaver.

[–] tal@lemmy.today 12 points 23 hours ago* (last edited 23 hours ago)

If one has it set to default-deny Javascript, a lot of websites don't work, because many web developers don't develop websites that work without Javascript today.

Historically, websites did a better job of falling back.

[–] orclev@lemmy.world 12 points 1 day ago

There's dozens of us. Works great on mobile with NoScript, although the source code snippets don't load. Since the article describes what they do anyway it's still readable without them, and the excellent performance is worth leaving JS blocked.

[–] hogmomma@lemmy.world 11 points 1 day ago

I'm on my Pixel 9a and had zero problems with scrolling.

[–] jungle@lemmy.world 9 points 1 day ago

It works perfectly on mobile (Pixel 7) for me.

[–] mr_anny@sopuli.xyz 6 points 21 hours ago (1 children)

It's really hard not to dismiss when having a seizure for just trying to read it.

I really wanted to read.

[–] Maeve@kbin.earth 10 points 21 hours ago (1 children)

What happened? Apparently my crappy browser handled something for me.

[–] mr_anny@sopuli.xyz 7 points 21 hours ago (4 children)

It's laggy as hell on my mobile phone. And it's not a bad/cheap model.

The site is basically whitevtext on black background and some colored code snips.

It should scroll smooth on 1980's Casio watch.

[–] ParlimentOfDoom@piefed.zip 1 points 5 hours ago (1 children)

It's displaying from me through my piefed app. Only weird bit was the trippy fold up of the title as you scrolled down but that happens once

[–] mr_anny@sopuli.xyz 1 points 5 hours ago

Yeah. As soon as the transparent title hit the top, it started to stutter. Like 2 fps.

I use Fennec on A54 (8Gb). It just does not seem right to be so laggy/stuttery as the content is merely text. How bad can the code rendering the content be?

I have never accomplished such a site.

And it really can't be due to device and browser. Many others on different setup have stated the same.

Visually similar site should run on moldy potato.

load more comments (3 replies)
[–] webkitten@piefed.social 46 points 23 hours ago (2 children)

Anyone have any idea who the devs are? According to the owner tag in the code, it's: https://devfortyfive.com/ but there's no information on the people behind it.

[–] fiat_lux@lemmy.world 21 points 20 hours ago (2 children)

Some guy in Utah, apparently. The company was registered on the 18th of March.
Screenshot of Utah Division of Corporations and Commercial Code Entity InformationFor DEV FORTY FIVE LLC

Via Utah Division of Corporations and Commercial Code Business Registration search which did not allow a direct link to individual results.

[–] SpeakerToLampposts@lemmy.world 17 points 19 hours ago* (last edited 19 hours ago) (2 children)

So according to that, the company's address (both physical and mailing) is 3739 E Sandstone Way, Washington, UT, 84780-1952.

(from https://maps.app.goo.gl/q48YJf3XndfY5Ges8)
...yeah, honestly that's about what I expected.

[–] ayyy@sh.itjust.works 3 points 5 hours ago

Lmao what even is that stupid-ass useless lawn.

[–] fiat_lux@lemmy.world 10 points 18 hours ago* (last edited 17 hours ago)

It's a rental. I'm wondering if it's not basically a front. The guy listed is a ~~22 year old~~ (edit: age is maybe not the same guy) "head of engineering" for a company owned/run by Blue Rocket Incorporated, which seems to typically be a parent company to a lot of places.

[–] NekoKoneko@lemmy.world 14 points 19 hours ago* (last edited 19 hours ago) (2 children)

So...to be clear, this was formed just prior to the release of the app, and almost certainly the app was being developed by this person/group before then.

Sure would be good to know what public funds were used to pay for this app (I assume too much), and whether there was a bidding process (I assume there wasn't), and whether this person is someone the decision-maker already had some relationship/connection to (I assume that was the case).

Because regardless of the public value of a tracking & propaganda window favoring one party (none), it would be completely shocking, just totally unheard of, if this was a corrupt overpayment and misuse of public funds to pay for substandard work to personal and political connections.

I mean, we didn't just see this happen with Noem or anything.

[–] Wispy2891@lemmy.world 7 points 18 hours ago

Or maybe it was vibe coded in one day

[–] daychilde@lemmy.world 3 points 19 hours ago

Judging by the fact that tabs in the app go to webpages… seems like not much was probably spent in developing it.

[–] SnotFlickerman@lemmy.blahaj.zone 32 points 22 hours ago (1 children)

Most transparent administration! /s

Yeah, having the real people behind it hidden is basically the norm for Trump admin.

[–] olympicyes@lemmy.world 4 points 18 hours ago

Probably an openclaw server attached to Don Jr’s bank account.

[–] mr_anny@sopuli.xyz 61 points 1 day ago (13 children)

I can't say anything about the content of this blog. It was horribly laggy to scroll on mobile device. And by horribly laggy, I mean like aunt's 1986 vacation slide show on a projector while having dry cookies and tasteless off brand earl grey.

I'm sorry if it sounds rude but I had to bring this on out in the open. What even runs under the hood on that blog..

[–] night_petal@piefed.social 2 points 10 hours ago

I had no issues, and I am on a cheap boomer phone that installs games without permission every so often.

[–] SnotFlickerman@lemmy.blahaj.zone 28 points 1 day ago (1 children)

It's a bit funny that it's completely at odds with how they describe their goals (emphasis mine):

I am thereallo, a web developer who makes things look pretty and work smoothly >w< been building stuff since 2020, mostly frontend but i can do fullstack too! i use react, next.js, and tailwind css because they just work, and motion for animations that don't feel plastic. i prototype in figma, steal components from shadcn/ui when i'm lazy, and deploy to vercel or cloudflare depending on the vibe~ i used to reverse engineer games (genshin leaks era lol) but now i just make websites that don't suck. i know typescript, python, go, and dabbled in rust and lua. my goal is making ui that feels human such as smooth feedback, clear buttons, keyboard accessible, no confusing bs. mobile first always! outside coding i listen to vocaloid and play project sekai, which definitely influences my color choices uwu. oh and i care way too much about bundle sizes and performance. currently learning native ios/android development. hmu on discord or github if u wanna chat! ♡

[–] dhork@lemmy.world 20 points 1 day ago* (last edited 1 day ago) (1 children)

I didn't have any problem on my Android phone

[–] nawa@lemmy.world 8 points 1 day ago

It wasn't horribly laggy on my Pixel but it definitely was less performant than a page like this should be.

[–] toiletobserver@lemmy.world 12 points 1 day ago

Holy shit, i thought i was gonna have a seizure first time i scrolled

[–] XLE@piefed.social 7 points 23 hours ago* (last edited 16 hours ago) (2 children)

Even if the effect didn't lag, there's almost no added benefit to it. The title is cut off, and the description is even worse.

If the author wanted to, they could have done something like this with no scripts, minimum effort, and probably zero lag.

(If OP's website chugged for you, I'm curious whether this demo is seamlessly smooth. It is for me.)

[–] sukhmel@programming.dev 2 points 10 hours ago

Strangely enough, for me both blog post an demo didn't lag, but the transparent sticky title did look bad

load more comments (1 replies)
[–] ThePantser@sh.itjust.works 9 points 1 day ago

Like its locked to 10fps

load more comments (7 replies)
[–] artyom@piefed.social 4 points 18 hours ago (1 children)

ELI5?

[–] KairuByte@lemmy.dbzer0.com 12 points 17 hours ago

Likely nothing illegal. Quite a bit of bad dev habits. Some concerning security fuck ups, including pulling in JavaScript from a server they don’t control. Injecting JavaScript to subvert cookie/gdpr/login/etc popups on third party sites.

Just generally bad things to do, especially in a government provided app.

[–] MonkderVierte@lemmy.zip 15 points 1 day ago* (last edited 1 day ago)

Btw, this site has no business doing (laggy) scrolling via JS on a fucking blog.
No JavaScript for you.

[–] nosuchanon@lemmy.world 8 points 1 day ago

AI vibe coded slop.

[–] Tharkys@lemmy.wtf 9 points 1 day ago

Pretty much exactly what I expected.

load more comments
view more: next ›