alt.hn

4/1/2026 at 1:58:45 AM

We intercepted the White House app's network traffic

 https://www.atomic.computer/blog/white-house-app-network-traffic-analysis/

by donutpepperoni

4/1/2026 at 4:00:47 AM

43% (of the 158 3rd-party requests) is... google. youtube, fonts, and analytics. 55% if you include facebook and twitter.

a government app shouldnt have crazy analytics and tracking and whatever. but i dont think loading google fonts or embedding youtube videos is really all that wild in the grand scheme of things.

given the title, i was half expecting some sort of egregious list with, like, palantir and some ICE domains or something. i dont like the app, but google? facebook? that is pretty boring.

the title probably should focus on nature/severity of the requests. titling it with a % of all requests feels bait-y if google/facebook/twitter isnt off in its own category. they have all sorts of dumb little requests to all sorts of domains that really inflate the numbers.

(as a note, atomic.computer also loads analytics and google fonts. which is whatever. but if they are going to imply 3rd-party requests are inherently bad just by nature of being 3rd-party, they may want to clean their own house a little bit.)

edit: original title at the time of my comment was "We intercepted the White House app's traffic. 77% of requests go to 3rd parties"

by john_strinlai

4/1/2026 at 6:30:34 AM

> given the title, i was half expecting some sort of egregious list with, like, palantir and some ICE domains or something. i dont like the app, but google? facebook? that is pretty boring.

Are ICE and Palantir forbidden from buying data from Google or Facebook?

This sounds like a smart way to own an app where you decide what you want to track and nobody is stopping you from getting the data you are phoning home. And you can launder it through normal tracking providers.

by fmbb

4/1/2026 at 4:59:55 PM

No but Google and Facebook generally do not sell data. They collect data and sell advertising spots based on this data. The data exfiltration to Google/Facebooks comes stock with a lot of mobile tooling. You can object to this arrangement but it is pretty common and often the easiest development path. As the parent points out the author of the post is engaged in the same practice so it is not exactly malicious or unusual.

by blululu

4/1/2026 at 5:28:19 PM

> No but Google and Facebook generally do not sell data.

There could always be quiet exceptions.

Weeks After Denouncing Government Censorship On Rogan, Zuckerberg Texted Elon Musk Offering To Take Down Content For DOGE [0]

0. https://www.techdirt.com/2026/03/31/weeks-after-denouncing-g...

by alsetmusic

4/1/2026 at 7:13:20 AM

If you read through the article, you'll see that the author focuses more on the OneSignal and Elfsight requests. The generic third party requests to Google, YouTube, etc. presumably were included for completeness + transparency and aren't meant to be some damning evidence against the White House app.

Though if your comment is solely based off of the previous title alone, then fair enough.

by nickvec

4/1/2026 at 4:51:13 AM

> given the title, i was half expecting some sort of egregious list with, like, palantir and some ICE domains or something. i dont like the app, but google? facebook? that is pretty boring.

Current government tries to steer the ship that is the US in the direction of an autocratic state as can be seen by most of their actions. But it's a huge ship and it takes time, no matter how hard you try (luckily).

by bulbar

4/1/2026 at 8:25:09 PM

"(as a note, atomic.computer also loads analytics and google fonts. which is whatever. but if they are going to imply 3rd-party requests are inherently bad just by nature of being 3rd-party, they may want to clean their own house a little bit.)"

Opinions may differ on this but mine is that this form of argument^1 is extremely weak and only strengthens the counter position, i.e., that third party requests are _in practice_ worth reporting on. As with any reported information, the readers of the reporting may draw their own conclusions and make value judgments about what is "good" or "bad"

1. The form of argument goes something like "X website is reporting on Y phenomenon, e.g., data collection, tracking, etc., using Z website as an example, but because X is also an example, X cannot or should not report on Y." The later is arguably "shooting the messenger"

https://en.wikipedia.org/wiki/Shooting_the_messenger

AFAICT this atomic.computer web page does not suggest third party requests are "inherently bad". That is a conclusion presented by the HN commenter. What the atomic.computer web page does is examine the use of third party requests as a means of data collection and tracking. The HN commenter then cites an imaginary opinion about third party requests being "inherently bad". For me, this suggests there may be something behind that idea. Perhaps the commenter has "insider" knowledge of some sort regarding data collection and tracking. It's like a leak from a guilty conscience

Generally, there is no way for a computer user to monitor and control how data is used once it is collected nor where it may or may not be transferred

As such, this is not question of "bad" versus "good" in any universal sense. That may be something that weighs on the minds of people connected to data collection and/or tracking practices. But every user is different. The issue for the user is control. The user cannot limit how the data is used or where it could be transferred, even he had some opinion about what uses were "good" and what uses if any were "bad"

What companies do with data collected from "apps" is within their control, not the user's. Generally the operators of "app" endpoints have no obligation to disclose (a) how the data collected is used, whether it is used to "improve the service", improve their own sales/revenue, improve someone else's sales, etc. or (b) where the data might be transferred, whether that transfer is voluntary or involuntary, e.g., data breach, mergers and acquisitions, bankruptcy, requests from law enforcement, etc.

by 1vuio0pswjnm7

4/1/2026 at 10:02:51 PM

did you really need to link me to a wikipedia page of "shooting the messenger"? are you aware of how condescending that appears?

>Perhaps the commenter has "insider" knowledge of some sort regarding data collection and tracking. It's like a leak from a guilty conscience

>That may be something that weighs on the minds of people connected to data collection and/or tracking practices

what are you even trying to say here? you seem to be trying really hard to call me something without actually calling me something.

anyways, my comment was not trying to convince you of anything or win any argument. believe what you want. i believe that this was a boring article, and the original title was clickbait. that is about it.

p.s. you might be the first person i have ever met that is unaware of the implicit negative connotation associated with "3rd-party requests". especially given the full context and the previous post by the blog author, i suspect you are being willfully ignorant here.

by john_strinlai

4/1/2026 at 4:34:21 AM

People will excuse anything when it suits them

by wavefunction

4/1/2026 at 4:38:16 AM

>People will excuse anything when it suits them

i am not sure what you are intending to imply. what suits me and how?

i called it boring. flip on a news channel, click any other link on the front page here, or look outside and you will find something more interesting than "app sends a lot of requests to google".

that doesnt mean i think it is good or that i am making an excuse. it means that it is boring. this site is supposed to "optimize for curiosity" or however dang phrases it.

by john_strinlai

4/1/2026 at 3:44:06 AM

> We installed mitmproxy on a Mac, configured an iPhone to route traffic through it, and installed the mitmproxy CA certificate on the device.

> All HTTPS traffic was decrypted and logged. No modifications were made to the traffic. The app was used as any normal user would use it.

Is it really that simple to inspect network traffic on an iPhone, namely to get it to trust the user-installed cert? I do quite a bit of network inspection on Android and I find it to be painful, even if the apps don't use certificate pinning.

Regardless, it highlights the importance of having control of our own devices, including the ability to easily inspect network traffic. We have the right to know where our data is being sent, and what data is being sent.

I recall during COVID it was discovered that Zoom was sending traffic to China. There was also the recent case of Facebook tracking private mobile browsing activity and sending it to their servers via the FB app. Imagine how much questionable traffic goes unnoticed due to the difficulty in configuring network inspection for apps.

by merek

4/1/2026 at 6:04:23 AM

> Is it really that simple to inspect network traffic on an iPhone, namely to get it to trust the user-installed cert?

iOS still trusts user-installed certs by default, unlike Android's opt-in model.

However, this only applies to apps using the OS TLS stack. Apps packaging their open openssl may use their own set of certificate authorities. Also, most big apps use certificate pinning for most of their domains.

Apps from Twitter or Facebook probably won't work due to pinning. Quick and dirty could-have-been-a-single-web-page apps, such as this one, usually won't bother with any of that, and neither do many tracking libraries.

Of course, malicious apps can detect when someone is using an altered certificate and choose not to send traffic until the MitM is over.

by jeroenhd

4/1/2026 at 3:47:39 AM

Yes, it is _a lot_ easier to set up mitmproxy on iOS vs Android. But once you encounter an app with certificate pinning, being on a more open platform that lets you install your own apps can help get around that.

by varun_ch

4/1/2026 at 3:46:55 AM

Installing the CA requires jumping through some hoops, but yes, intercepting traffic for apps that don’t use cert pinning isn’t that difficult on iOS.

Apps that do use cert pinning is a whole other matter, I’ve tried unsuccessfully a few times to inspect things like banking apps. Needs a rooted device at the minimum.

by cedws

4/1/2026 at 4:25:18 AM

So I assume the white house app doesn’t do cert pinning

Also looked into this a long time ago… could someone tell me how to do this with cert pinned apps ?

by funman7

4/1/2026 at 7:45:19 AM

In general you can't without patching the app itself, statically or at runtime using something like Frida.

by selcuka

4/1/2026 at 4:14:51 AM

Regardless, it highlights the importance of having control of our own devices, including the ability to easily inspect network traffic. We have the right to know where our data is being sent, and what data is being sent.

Meanwhile I've always found it amusing that there's a loud, probably corporate-owned/Big-Tech-brainwashed subset of the "security" crowd who complains about MITM proxies.

by userbinator

4/1/2026 at 4:26:36 AM

Are the MitM proxies the braindead ones that are hampering the evolution of SSL? Because those are terrible, no corporate shilling required.

by hn_go_brrrrr

4/1/2026 at 4:40:42 AM

> I recall during COVID it was discovered that Zoom was sending traffic to China.

Yes it was. Imagine, all those (lower) governments holding crisis meetings and sending the video and audio to China. What are the chances that all that stuff was recorded. Nice training data for some deepfakes.

by jacquesm

4/1/2026 at 3:57:30 AM

I filter the vast majority of adware such as doubleclick.net right at the DNS level. Not that I would use the app anyway...

It's shocking how many third party connections an average website opens. It's particularly true for news websites. Interestingly, atomic.computer also attempts to load Cloudflareinsights and some Google fonts, both of which are denied on my network. This is precisely the kind of requests that make it trivially possible for Google to follow people around the Internet, and the vast majority of webmasters are complicit of this.

by drnick1

4/1/2026 at 4:11:20 AM

Government apps should absolutely be held to a higher standard than consumer B2C apps. Loading Google Fonts is one thing — sending telemetry to OneSignal and Facebook from an official government app is a different conversation entirely.

In Australia, apps handling government data must comply with the PSPF (Protective Security Policy Framework) and the ISM, which explicitly restrict data flows to untrusted third parties. A government app routing 77% of requests externally would fail an IRAP assessment on day one.

The fix is straightforward: self-host fonts, use first-party analytics, and treat every external request as a data exfiltration vector. Government digital teams know how to do this — the question is whether anyone is actually reviewing the network behavior post-deployment

by pratyushsood

4/1/2026 at 4:26:58 PM

They actually are held to a higher standard. We just dont follow standards in this admin.

by halJordan

4/1/2026 at 4:14:19 AM

> Government apps should absolutely be held to a higher standard than consumer B2C apps

Honestly—why? What is in this traffic that mandates heightened scrutiny? It strikes me as simply about brand.

by JumpCrisscross

4/1/2026 at 4:31:44 AM

Despite all the sneed on display, it's currently #4 in the App Store (ahead of Threads, Gmail, and Google Maps) and #1 in News so they did something right.

Personally, I want the most stringent CORS settings to read about his gold Sharpie pens.

by longislandguido

4/1/2026 at 6:15:21 AM

> it's currently #4 in the App Store (ahead of Threads, Gmail, and Google Maps) and #1 in News so they did something right

Not disagreeing. But why should its provenance force a higher standard? It’s a glorified news app, to my understanding. Is its breaching worse for national security than some weather app that had its moment in the sunlight?

by JumpCrisscross

4/1/2026 at 8:10:59 AM

Because it is at some level officially backed by the White House. That alone brings higher scrutiny.

by LocalH

4/1/2026 at 2:32:50 PM

That is a reassertion of the same claim. What is the reason why?

by s1artibartfast

4/1/2026 at 2:31:57 AM

So like... most b2c apps out there? I checked app privacy report for a few such apps I have installed and also got a very high proportion of third party domains. Maybe not as high as 77% but definitely above 50% (ie. more domains are third party than first party). The most surprising part here is them refusing to put correct info in the "data collected" section of the app store listing.

edit: they seemed to have updated the store listing, so the "data collected" section is correct.

by gruez

4/1/2026 at 2:39:08 AM

[flagged]

by tr_user

4/1/2026 at 2:44:49 AM

No. Stop putting words in my mouth.

by gruez

4/1/2026 at 2:50:25 AM

No one put words in your mouth, they asked you a question. You are the one who made the initial comparison to B2C apps, so it seems like a fair question to me. Your comment implies that its standard and the app isn't doing anything out of the ordinary when I think most people would except an official government app to be held to a higher standard than the average B2C app.

by mattbuilds

4/1/2026 at 2:54:21 AM

>You are the one who made the initial comparison to B2C apps, so it seems like a fair question to me.

The relevant part of B2C is the 2C part, not the B. Mass market apps are generally ridden with telemetry and SDKs. Moreover I'm not sure how you think it's a "fair question" to go from a remark about how other apps are equally bad, to thinking I want the US government to operate as a business. It's like doing:

A: "I called the IRS and was put on hold for 2 hours, can you believe that?"

B: "To be fair that's the experience calling into most businesses, like banks or the cable company"

A: "Wow so you think we should be running the IRS like a bank?"

>I think most people would except an official government app to be held to a higher standard than the average B2C app.

Is this a "yes, in an ideal world that's how things should be" type of statement, or are you claiming "yes, government agencies have a track record of delivering technical excellence on software projects, and this particular project was especially bad"? The former is basically a meaningless platitude, and I don't think anyone seriously thinks the latter is true.

by gruez

4/1/2026 at 3:13:12 AM

[flagged]

by ryandrake

4/1/2026 at 3:24:30 AM

>Ok, so then it just sounds like whataboutism.

The flip side of "whataboutism" is "isolated demands for rigor"[1]. Going back to the IRS example, is it a fair retort to point out that IRS's hotline only sucks as much as any other large organization's hotline, or is it "whataboutism"?

[1] https://slatestarcodex.com/2014/08/14/beware-isolated-demand...

by gruez

4/1/2026 at 3:39:57 AM

It's the government, the US government. By far the largest employer and spender in the world. So yes, they are held to a higher standard. Businesses intentionally throttle customer service lines for profit reasons. The government should not. How is this difficult to understand?

by chirau

4/1/2026 at 3:52:24 AM

>So yes, they are held to a higher standard.

See my earlier comment about how this is a meaningless platitude.

>Businesses intentionally throttle customer service lines for profit reasons. The government should not.

None of this was presupposed in the original comment, only that wait times are long.

by gruez

4/1/2026 at 4:17:37 AM

what the hell do you mean meaningless platitude? Do you understand the difference between civic duty and corporate duty?

If a company proactively evades taxes for profit, do you give the government the same pass? Companies skate and fight all this through litigation and interpretation. The government's duty is to the people and to uphold the law, not fight it. They are held to a higher standard of law, accountability and practice in all undertakings. What exactly are you refuting here?

by chirau

4/1/2026 at 2:53:30 AM

It's a classic deflection tactic - when they can't refute you by merit, they answer something with a question that is completely different about what was said - BOOM, the discussion is now about something else, completely different from the original issue. I honestly can't tell if it's bots or humans these days doing this a lot, but they're getting pretty good at it.

by neya

4/1/2026 at 3:06:31 AM

[flagged]

by longislandguido

4/1/2026 at 2:50:49 AM

[flagged]

by neya

4/1/2026 at 3:08:00 AM

> If so, why do you think lobbying exists?

Specifically because it's not a natural market. There are people who secure a 2-year, consequence-free term to impact U.S. law, at the behest of people with money.

Lobbying is special interests dictating decisions that often are not financially, morally, or otherwise ideal/beneficial to the other party (the United States and its people). This wouldn't fly at any corporation or business because there would be direct impacts on the bottom line or reputation of the company.

by nkozyra

4/1/2026 at 3:42:30 AM

> If so, why do you think lobbying exists?

Would you like to be able to ask your representative to focus on a particular issue?

by lobf

4/1/2026 at 2:42:39 AM

The government should outsource way more of their traffic to third parties than a business should, since the government is inefficient, right?

by jmalicki

4/1/2026 at 2:45:43 AM

Poe's Law strikes again. I legitimately can't tell if this is sarcasm.

by amazingman

4/1/2026 at 4:02:13 AM

It is sarcasm. I always get screwed by Poe's law, since dry sarcastic parodies of extremist views is one of my favorite methodologies for producing humor.

by jmalicki

4/1/2026 at 3:16:06 AM

I'm happy to be against both the white houses' 3rd party telemetry as well as other apps. I can multitask.

by dwattttt

4/1/2026 at 2:37:36 AM

A government app being built like b2c is exactly the problem

by iterateoften

4/1/2026 at 2:49:52 AM

I'm sure that HN's preferred app would be <5MB, and has zero third party SDKs or telemetry, but half a dozen SDKs and third party domains is basically most mass market apps these days. Is it bad? Yes, but the whitehouse isn't being egregiously bad, but "whitehouse app is bad, just like most other apps" isn't going to get clicks.

by gruez

4/1/2026 at 3:09:23 AM

"everything else sucks too" is not a great defense for the US govt.

by abustamam

4/1/2026 at 3:15:56 AM

If only. It would be a far better state of of affairs if the US government sucks like every other first world country. No other first country are waging war in the middle east, having paramilitary forces terrorize residents, or are undergoing a partial government shutdown.

by gruez

4/1/2026 at 3:42:34 AM

Just because an app embeds YouTube instead of creating their own video hosting solution that does not mean that does not mean that the app sucks.

by charcircuit

4/1/2026 at 5:00:27 AM

I didn't mention anything about YouTube.

by abustamam

4/1/2026 at 6:41:59 AM

This thread is about how there are too many requests to third parties for the app. Half of them are for YouTube.

by charcircuit

4/1/2026 at 11:35:11 AM

Even if we eliminate the YouTube half it's still too many.

by abustamam

4/1/2026 at 3:05:28 AM

See gov.uk for a good example

by aplummer

4/1/2026 at 9:33:29 AM

For all our faults I am geniunely impressed by gov.uk. its not pretty, its not particularly fast, and its certainly not flashly, but I've never once not been able to find what I needed or have a flow not work.

by ozlikethewizard

4/1/2026 at 3:08:14 AM

Oh, sorry you missed Exlir and WASM, and rust and programming socks of course. Half credit.

by SV_BubbleTime

4/1/2026 at 3:32:05 AM

[flagged]

by longislandguido

4/1/2026 at 2:44:48 AM

Right, the White House is collecting data and sending it to Huawei, and overall collection rate is worse than any other app you’ve seen by a wide margin.

That makes me net more surprised after reading your comment.

You're not surprised the white house is worse than any other app you've seen by 20%?

by refulgentis

4/1/2026 at 4:02:21 AM

Don't get me wrong, the government requires a high level of scrutiny.

I would be interested to see how this compares to industry standard though, 77% doesn't seem outrageous to me given all the trackers and advertising code I've seen over the years. It wouldn't surprise me if this is inline with many apps people install and don't think twice about.

by _heimdall

4/1/2026 at 2:44:49 PM

the privacy manifest declares no data collected while the app sends your device model, ip address, session count, and a persistent tracking id to onesignal on every launch. false attestation anyone?

by kevincloudsec

4/1/2026 at 3:39:38 AM

Ads are coming next.

by vjvjvjvjghv

4/1/2026 at 3:57:29 AM

is location tracking part of OneSignal ? no mention of the other location services in this writeup ?

by gnerd00

4/1/2026 at 10:14:08 AM

[dead]

by exiguus

4/1/2026 at 3:00:08 AM

[flagged]

by longislandguido

4/1/2026 at 3:04:03 AM

The US government is publishing an app that over 50k people have downloaded, at least on the Android app store.

People should care.

by abustamam

4/1/2026 at 3:08:34 AM

And? Half the posters here develop VC-funded spyware professionally.

by longislandguido

4/1/2026 at 3:10:56 AM

and the other half work for the government or an NGO LOL

by calvinmorrison

4/1/2026 at 3:13:20 AM

VCs publicly funded by tax policy and bailouts. Americans are abused spouses.

by yabutlivnWoods

4/1/2026 at 3:11:30 AM

[flagged]

by gunsle

4/1/2026 at 3:14:30 AM

I hear there is this amazing new app you can install to avoid all of the TDS you dislike so much.

by wnevets

4/1/2026 at 3:18:03 AM

Perhaps if Trump did not want his opponents to be deranged about him, he should not have published a video where he puts on a crown then gets in a bomber jet and dumps poo on them. But of course, that's the trick; I've been called deranged in the past just for accurately reporting that he published that video!

by SpicyLemonZest

4/1/2026 at 3:35:38 AM

[flagged]

by longislandguido

4/1/2026 at 3:45:45 AM

What's the point of lying like this? You know and I know that Trump would not take it in good humor if a CEO or politician posted a video of themselves pooping on him. Nor would you take it in good humor if your boss posted a video of themselves pooping on you. There's just nothing humorous about it.

by SpicyLemonZest

4/1/2026 at 4:12:38 AM

It's pointless to take anything longislandguido says seriously, since he actually does have Trump Derangement Syndrome as evidenced by his deranged lies on Trump's behalf.

by DonHopkins