Let's see if anyone can give an example of such a high profile app doing something similar.

I've worked on a three letter sports orgs (one of NFL, NBA, NHL, etc) Android app.

I always joke that we could probably tell you what color and type your underwear is on any random day with how much data is siphoned off your phone.

As for loading random JS, yeah also seen that done that before. "Partner A wants to integrate their SDK in our webviews." -> "Partner A" SDK is just loading a JS chunk in that can do whatever they want in webviews, including load more files.

Don't get me started on the sports betting SDKs...

Though we do have a Security team constantly scanning SDKs and the endpoints for changes in situations like this.

	▲	jasonlotito 6 hours ago \| parent [-]
		> As for loading random JS, yeah also seen that done that before. Partner A is not random JS. The assumption there is 1) you have some official signed agreement with them and 2) you've done your due diligence to ensure you can use them in this way. It's not just some person's GH repo who can freely change that file to whatever they want. Hotlinking is as old as the internet, and a well-worn security threat.