Amine 🖖

@marouane53 Wayih galo had lyam so9 ghali ykon khir inchallah

I reverse engineered the official White House Android app this afternoon. Took about 30 minutes. Package gov(.)whitehouse(.)app, version 47.2.0. There were good investigations published earlier this year, Atomic Computer on iOS and Thereallo on an earlier Android build, and I wanted to see what the current Android version actually looks like, plus the backend, which nobody had touched. How I did it. I used apkeep to pull the XAPK, verified the Google signatures, ran jadx on the APK to get the Java sources, and dumped the Hermes JavaScript bytecode with hermesc. That last step matters because the app logic is compiled JavaScript that is unreadable until you dump it. From there I walked the manifest, the compiled JS, and probed the public backend with the same User-Agent the app uses. The big differences from what was previously reported. First, certificate pinning. Atomic flagged the absence of cert pinning on iOS as a major issue. On Android it actually exists. The whitehouse(.)gov domain is pinned with public keys valid through June 2027, cleartext is disabled globally, and the JavaScript fetch layer enforces HTTPS plus a domain allow list. Whoever built the Android side took transport security seriously. Intercepting traffic on this build is hard. Second, remote GPS activation. The iOS reporting was right that OneSignal can flip a server side flag to enable location tracking, because iOS permission strings exist in that build. On Android, that attack does not work. The manifest declares zero location permissions. A custom Expo build plugin literally named withNoLocation strips them at compile time. The JavaScript explicitly calls OneSignal.Location.setShared(false). Android refuses to grant location without a manifest declaration, so the OneSignal server has nothing to toggle. Turning location on would require pushing a new app version through the Play Store. The OneSignal location code is still bundled in the binary, so the supply chain risk is real, but it cannot be activated remotely. Third, the JavaScript that earlier versions used to hide GDPR cookie banners inside WebViews is gone in this build. I grepped the bytecode for every signature of that pattern. What is there now is YouTube iframe setup, the Elfsight social embed loader, a ResizeObserver, and a media cleanup script. No banner stripping. The fix made it across to Android. Fourth, the backend. Nobody had published this in their investigations. The app talks to a WordPress REST API at whitehouse(.)gov, and every public content endpoint returns JSON to spoofed requests as long as I send the same User-Agent the app uses. Home, live, polls, galleries, priorities, schedule, media bias, wire, news search, and social feeds for facebook, instagram, linkedin, tiktok, truth, and x are all trivially scrapeable. They come back with wildcard CORS too, meaning any website can fetch them. The interesting find is the poll voting flow. It uses Firebase App Check or Play Integrity attestation, where the client has to prove it is a real unmodified copy of the app running on a real device before the server accepts a vote. I probed it with fake headers. Missing client ID returned 400. Bogus attestation returned 401. The controls actually work. Whoever built that got it right. The big red flags that still stand. Firebase Analytics is on by default with ad storage, ad user data, and ad personalization signals all set to true. Both Android ad services permissions are declared. The compiled JavaScript logs detailed behavioral events including article reads with article ID and title, video plays, searches, external link clicks with URL truncated to 500 characters, scroll depth, notification taps, share taps, WebView loads, and gallery interactions. This is DTC marketing telemetry attached to a government news app. OneSignal, with app ID 4166924e-05fd-4182-8e88-819400f99676, sends push token, device model, OS, carrier, network type, rooted status, app version, and notification preference tags like breaking_news_notifications and issues_notifications to api(.)onesignal(.)com on every session. Mailchimp is wired up to whitehouse(.)us10(.)list-manage(.)com with list 004f59aa22 and default tag 7041498, ready to send email and optional phone the moment a newsletter call to action gets shown. The app declares RECORD_AUDIO and READ_MEDIA_AUDIO with no obvious user facing audio recording feature, and Expo audio modules sit in the dependency code. android:allowBackup is on, which means most app data flows through Android cloud backup by default. Public APIs run with wide open CORS. So I think the Android team took transport security seriously and did real engineering on the parts iOS got wrong. That deserves credit. But the architectural choice to build a government app on top of Firebase, OneSignal, Mailchimp, Elfsight, and a wide third party media graph is the deeper problem, and you cannot fix that with config flips. The stack is the problem, not the configuration. Everything downstream flows from that one choice at the start.

3lach ga3 lmgharba f had twitter wlad prépa ??

@Silla168 @Aya_Kyoto65 واش باقي ماقدرتيش دوي بالعربية هههه

@Amine016_ @Aya_Kyoto65 Tu comprends tellement pas que tu viens de me répondre 😂

フランス語の所に🇩🇿があって、アラビア語の所に🇲🇦があるの物凄くFitnaだしヤバすぎるし良くないと思う

@boundagani5000 @ProtectorNation @Aya_Kyoto65 7witih hhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhh

@ProtectorNation @Amine016_ @Aya_Kyoto65 Wa hanta mlbedia ktebti el maroc, b7al syadek d fransa L3ib ban ya jeddek

@ii_maryy63159 @Aya_Kyoto65 عادي نتوما جيل جديد فيكم لي فاهم لقالب ديال الفرنسية و ممسوقش ليها ولكن غالبا باك وجدك وجد باك كيتقنو الفرنسية وهذي النقطة ديالي عكس هنا فالمغرب

@Amine016_ @Aya_Kyoto65 كلامك صح و خطاء علاه ؟ كاين دزيريين يعرفوا غير العربية ومتعلموش فرنسية او محبوش يتعلموها كما انا منعرفهاش اصل كنت ندي فيها 2 زيد اللغة رسمية للدولة جزائرية هي العربية و لغة القرآن ليتعلموها دزيريين فاااا نعم كاين ليخلطوا هدرتهم بفرونسي وكاين لكيفي يعرف غير عربية ......

@0tmzn @Aya_Kyoto65 ههههههههههههههههههههههههههههههههه لخر والله

@Amine016_ @Aya_Kyoto65 حتى اسماء الاشهر الرسمية في الجزائر هي بالفرنسية

@Lyna_Amm @Aya_Kyoto65 سمحي ليا ما كنفهمش هاد اللغة ديال الجزائر كتبي بالعربية راه غير كتبيني بلي عندي الصح 😂

@Amine016_ @Aya_Kyoto65 Certains ne parlent que français ? Mais vous êtes fous et obséder ma parole

@Silla168 @Aya_Kyoto65 سمحي ليا ما كنفهمش هاد اللغة ديال الجزائر كتبي بالعربية راه غير كتبيني بلي عندي الصح 😂

@Amine016_ @Aya_Kyoto65 Ferme ta grosse bouche sale merde tu connais quoi de l’Algérie pour penser que t’a la légitimité d’en parler ?

@xlc9_ @Aya_Kyoto65 بغيتي تقول حقائق

@Amine016_ @Aya_Kyoto65 must be ragebait

@dezerois @Aya_Kyoto65 علاش شرح ليا اخويا

@Amine016_ @Aya_Kyoto65 Nonsense 😂😂

@Wisskhy09 @Aya_Kyoto65 نتا دوي بعدا بيها 😂😂

@Amine016_ @Aya_Kyoto65 Oh comment tu mens, t'es déjà en Algérie voir comment il parle avant de dire des conneries ? Les gens parle arabe ou amazigh, et la majorité comprennent rien au français et y'a 0 mélange d'arabe et de français à part quelques mots

@ProtectorNation @Aya_Kyoto65 أستطيع أن أقسم أنك كنت تكتب كلمات فرنسية و تحذفها و راه ماشي عيب اخويا نتوما عندكم مع الفرنسي الأغلبية كيعرف ليها باش غير تقولو بسباب كتقولو باسكو وعادي مالك معصب رخيها

@Amine016_ @Aya_Kyoto65 انت عايش في المروك كول حياتك في المروك عمرك ما شفت دزيري عمرك ماهدجرت مع الدزيري الدزييين الوحيدين اللي تعرفهم شفتهم في السوشيال ميديا امالا علاه راك تشرك في فمك ايا بلع علينا

@DehinaMous7100 @Ahmedm94m Nah

@Amine016_ @Ahmedm94m

🔴 نتفليكس أعلنت عن انشاء استوديو باسم 'INKubator" للقيام بإنتاج انميات انميشين قصير باستخدام AI والتوسع في المجال ⚰️

@glitch_prod @party_animals

@MegaSparked @noobpvpgagaV2

We are going to sue YouTube But before we do, our lawyer is currently in the process of sending a letter to YouTube. Over 2 weeks ago our channel @UnderSparked" target="_blank" rel="nofollow noopener">youtube.com/@UnderSparked was falsely demonetized under the "inauthentic content" policy. Demonetized doesn't mean no ads though, all it means is YouTube will still run ads on the videos. But they pocket all the revenue, essentially stripping all the revenue from us. We don't claim to be the pinnacle of quality content standards, but the following things do cause us to scratch our heads in confusion 1. All of the bigger channels in the same niche as us are monetized with no issues 2. We literally voice act, edit, etc, all our own videos while 100s of AI storytelling channels are still monetized 3. YouTube is fine with running ads on the videos, pocketing all the revenue. We assume if YouTube had such a big problem with the content, why still serve it to your advertisers? 4. 100s of reaction channels still stay monetized Some examples of bigger monetized channels that are in the same niche as us are: rSlash: @rSlash" target="_blank" rel="nofollow noopener">youtube.com/@rSlash DarkFluff: @DarkFluff" target="_blank" rel="nofollow noopener">youtube.com/@DarkFluff Oz's Vault: youtube.com/channel/UCoJ1A… We support these channels, the reason we are providing these channels as examples is to showcase how it feels like we're being targeted. This has caused extreme distress for my team and I. Many of our livelihoods and families rely on this channel. Our community relies on the UnderSparked channel. Many people support the UnderSparked channel because in a time of nonstop AI channels, we stepped up and used real voice actors to cater to that connection and community that viewers on YouTube crave. We truly believe this demonetization was done in error, all we want is a real human specialist to help us fix the issue. We're tired of constantly receiving only copy and pasted templated responses, constantly neglecting/dismissing our attempts at fixing the false demonetization. We're kindly requesting for a representative from @TeamYouTube to help us fix this demonetization issue with our channel. We don't want to send letters, or sue, or anything! We simply just want to go back to producing content for our community.

@Teto19987 Nigga

أكره هذه العقلية صراحة، لا توجد قصة مهما علت يجب أن تكون السقف و نزدري باقي الفنون و القصص بسببها شخصيا عندي قصص عديدة يابانية أفضلها على الأغنية و لكن أتفهم من يرى عكس ذلك عموما توقفوا عن وضع سقف محدد للفن

Ronaldo would sell his soul just to scam his way to 1,000 career goals. 😭😭

@AskRo3b ضيعت الكثير من الدولارات للأسف ههه

التغريدة انتشرت عند اليابانيين وهم يهاجمونني الآن 😭