Here’s the TL;DR: Don’t download it unless you’re a huge fan of spyware. If you’ve already downloaded it, there’s no real assurance you can remove everything completely.
That sounds ominous, doesn’t it?
Well… so does everything else I’m about to say about the new White House app.
It’s being marketed as a way to get direct access to the Trump Administration. In practice, it looks more like a delivery system for some extremely sketchy behavior—and I’m genuinely concerned about the digital safety of people who’ve downloaded it.
Thankfully, that number is still relatively low. Let’s keep it that way.
I generally like official “from the source” apps. But the downsides on this one are… impressive. Before we get into the details, one thing needs to be very clear:
Red Flags Are Nonpartisan
There’s nothing political about this.
Every issue here is technical. A security flaw is a security flaw. A privacy issue is a privacy issue. It doesn’t matter who built it.
Privacy Issues
Apps should be clear about what they’re doing. Full stop.
If an app uses your location, it should say that.
If it doesn’t, it should say that too.
If it says it doesn’t — but it does — that’s a problem.
This app manages to do exactly that.
It pairs “location when in use” behavior with the statement:
“This app does not use your location.”
…what?
It doesn’t stop there:
The privacy manifest is empty, which means it doesn’t disclose what data it collects.
The app includes 10 OneSignal frameworks, including location tracking.
The decompiled code shows a GPS pipeline polling your location every 4.5 minutes in the foreground, and 9 in the back.
That data is sent to a third-party server — even in the background.
Even Google gives you a heads-up when it’s tracking you. This doesn’t, which could potentially impact your safety and potentially your physical security.
Security Issues
There are also some big concerns in how the app is built.
It uses Elfsight widgets, which can be used to move data in or out without user awareness.
There’s no certificate pinning.
There’s no real security hardening.
@DiligentDenizen did a great breakdown just by looking at the app permissions during install:
That’s… not great.
If you want the deep technical dive, the blog
I Decompiled the White House's New App is worth reading. It’s a wild ride. Even the non-technical parts are concerning enough.
Lies, Damn Lies, and… This
Maybe this is just me, but I read the Terms of Service (ToS). It’s my data. I want to know what’s happening with it.
From atomic.computer:
In a single browsing session, the app:
Sent your device model, OS, IP address, timezone, language, session count, session duration, and a persistent unique identifier to OneSignal
Contacted 13 Elfsight-controlled domains and received 10+ tracking cookies
Loaded Google DoubleClick ad tracking infrastructure
Made requests to Facebook CDN, Twitter/X CDN, YouTube, and Google APIs
The privacy label says “No Data Collected.”
That’s… a lot of data for something that claims to collect none.
And again, mad props to the security researchers shining a light on this.
According to atomic.computer:
We followed up with a network traffic analysis that confirmed the app sends your IP address, timezone, device model, OS version, session count, session duration, and a persistent unique identifier to OneSignal on every launch, despite the permission string claiming “This app does not use your location” and the privacy manifest declaring zero data collection. Only 23% of the app’s requests go to whitehouse.gov. The other 77% go to third parties.
Wait — what?
Why is most of the traffic going to third parties?
Surely that’s fine. (insert heavy sarcasm here)
Third Party Risk
There’s an entire job in cybersecurity called Third Party Risk Management (TPRM).
Because even if you trust an app, you’re also trusting all the other apps it shares your data with.
Think of it like loaning your lawnmower to your neighbor. You lock your garage, but they don’t. Your lawnmower gets stolen. You take the loss for their lack of security.
Now apply that to your personal data — spread across dozens of companies.
This app makes 158 app-initiated requests to third-party vendors.
Who are they?
What are they doing with your data?
No one’s saying.
If You’re Not Paying, You’re the Product
I say this a lot, but it applies here perfectly: If you’re not paying, you’re the product.
This app is free.
Your data is going… a lot of places.
Draw your own conclusions.
Join us for tea!
CybersecuriTea is a free, plain-English guide to digital safety, designed for families, friends, and the folks you love. Subscribe today and get weekly tips to help keep your digital life secure.
Or, if you’d like to support our work and keep the kettle warm for everyone:
Issue # 32
This content may contain affiliate links. If you choose to sign up or make a purchase through them, we may earn a small commission, at no additional cost to you. Thank you for supporting CybersecuriTea.
