This is a pretty standard decomplation of an Android app.
I am sure if you decompile other apps used by hundreds of thousands of people, you would find all sorts of tracking in there.
Thanks for helping the White House improve their app security for free though.
Even in the apps I've worked on, you won't find us loading arbitrary JS from a random GitHub user's account.
> Even in the apps I've worked on, you won't find us loading arbitrary JS from a random GitHub user's account.
You'd be surprised how many apps inside have hacks and workarounds because deadlines.
Let's see if anyone can give an example of such a high profile app doing something similar.
I've worked on a three letter sports orgs (one of NFL, NBA, NHL, etc) Android app.
I always joke that we could probably tell you what color and type your underwear is on any random day with how much data is siphoned off your phone.
As for loading random JS, yeah also seen that done that before. "Partner A wants to integrate their SDK in our webviews." -> "Partner A" SDK is just loading a JS chunk in that can do whatever they want in webviews, including load more files.
Don't get me started on the sports betting SDKs...
Though we do have a Security team constantly scanning SDKs and the endpoints for changes in situations like this.
> As for loading random JS, yeah also seen that done that before.
Partner A is not random JS. The assumption there is 1) you have some official signed agreement with them and 2) you've done your due diligence to ensure you can use them in this way.
It's not just some person's GH repo who can freely change that file to whatever they want.
Hotlinking is as old as the internet, and a well-worn security threat.