The White House App Is a Surveillance Liability Disguised as a News Feed
The White House released an official app on March 27, 2026 for iOS and Android. It promises "direct, unfiltered access to the People's House." Two independent security researchers decompiled it within hours. What they found: a consent-stripping JavaScript injector, a dormant GPS tracking pipeline, live code execution from a Russian-origin company, a provably false privacy manifest, and zero security hardening.
This is not a privacy-respecting government app. It is a case study in how not to build one.
What the Decompilation Found
Security researcher Thereallo decompiled the Android APK. Atomic.computer performed an independent iOS analysis and follow-up network traffic capture. Their findings overlap and confirm each other.
The app is built on React Native with Expo. It pulls content from a WordPress REST API at whitehouse.gov. Five tabs: Home, News, Live, Social, Explore. Technically unremarkable, except for what ships alongside it.
Consent Stripping: The Government Overrides Your Privacy Choices
The original release (v47.0.0) injected JavaScript and CSS into every webpage opened through its built-in browser. The injection targeted and hid:
- Cookie consent banners
- GDPR consent dialogs
- OneTrust popups
- Privacy banners
- Login walls and signup walls
- Paywall elements
- CMP (Consent Management Platform) boxes
The code also forced body { overflow: auto !important } to re-enable scrolling on pages where consent dialogs lock scroll. A MutationObserver continuously removed any consent elements that loaded dynamically.
Browser extensions like uBlock Origin do similar things. The difference: you choose to install those. The White House app did it silently, on every page load, without disclosure. The executive branch shipped code that destroyed the legal compliance infrastructure of every website its users visited.
GPS Tracking: Dormant but Remotely Activatable
The app ships with 10 separate OneSignal frameworks totaling approximately 2.4 MB. This includes OneSignalLocation.framework (104 KB) with a complete location tracking pipeline: permission requests, interval constants, fused location capture, background scheduling, and sync to OneSignal's API.
Network traffic analysis confirmed GPS coordinates are not currently transmitted. But the SDK's open-source code (v5.5.0) reveals that OneSignal's server sends a location_shared boolean on every app launch. If the server sets it to true, GPS tracking activates. The code explicitly prioritizes the server-side parameter over any local setting.
The original release requested always-on background location. Version 47.0.4 changed the permission string to "This app does not use your location." The OneSignalLocation.framework with sendLocation and requestLocation is still compiled in. There is no map, no local news, no geofencing, no weather. Nothing in the app needs location data.
OneSignal is a private, VC-backed company in San Mateo, California. Data stored on Google Cloud. The location tracking light switch is not in the White House's hands. It is in OneSignal's.
Six WebViews Loading Russian-Origin JavaScript
The app loads live JavaScript from Elfsight, a widget company originally founded in Tula, Russia (now registered in Andorra). Six separate WebViews each load platform.js from Elfsight's CDN.
Elfsight uses a two-stage loader. The initial script calls Elfsight's server with widget IDs and the current page URL. The server responds with widget configuration and an array of additional script URLs. The loader then creates <script> elements for each URL and injects them into the page. No Subresource Integrity (SRI) hashes verify the scripts.
Elfsight's server decides what code runs. If Elfsight's CDN or backend were compromised, or if the company were compelled to modify its response, arbitrary JavaScript would execute inside the official White House app across all six surfaces.
Elfsight's privacy policy states it collects IP addresses, sets tracking cookies (session tokens and click tracking stored up to a year), and communicates with four separate Elfsight servers.
The Privacy Manifest Is Provably False
Apple requires apps to file a privacy manifest declaring what data they collect. The White House app declares:
NSPrivacyCollectedDataTypes: [] (empty array)
NSPrivacyTracking: false| Data Type | Source | Confirmed in Traffic |
|---|---|---|
| IP address (full IPv4/IPv6) | OneSignal user profile | Yes |
| Timezone and country | OneSignal profile | Yes |
| Device model and OS version | OneSignal profile | Yes |
| Session count and duration | OneSignal /outcomes/measure | Yes |
| Persistent unique identifier | onesignal_id (never resets) | Yes |
| Network type and carrier | OneSignal profile | Yes |
| Jailbreak status | OneSignal profile (rooted field) | Yes |
| Push token | APNS token in OneSignal profile | Yes |
| GPS coordinates (capability) | OneSignalLocationManager | Not active (confirmed) |
Only 23% of the app's network requests go to whitehouse.gov. The other 77% go to third parties: OneSignal, Elfsight, Mailchimp, Uploadcare, and others.
This violates Apple's App Store Review Guidelines Section 5.1.2. OneSignal's own frameworks ship their own privacy manifests declaring what they collect. The app's developer overrode them with an empty array.
No Security Hardening
The app has no certificate pinning. It loads code from a personal GitHub Pages account (lonelycpp.github.io) for YouTube embeds. If that account were compromised, arbitrary HTML and JavaScript would execute inside the app's WebView context.
It sends email addresses to Mailchimp. It hosts images on Uploadcare. It has a hardcoded Truth Social embed. None of this infrastructure is government-controlled. The Expo OTA (over-the-air) update system is configured, meaning code changes can be pushed without going through app store review.
How USDS Would Have Prevented This
The U.S. Digital Service (USDS) was created after the Healthcare.gov failure to bring software engineering expertise into the federal government. For over a decade, across three administrations, USDS and 18F recruited engineers who built and reviewed government technology to professional standards.
DOGE fired them. The organizations that would have caught a full GPS tracking pipeline one function call from activation in a press release app were gutted and replaced with contractors who shipped developer home IP addresses to the public and loaded executable code from personal GitHub accounts.
What You Should Do
Do not install the White House app. Access whitehouse.gov directly through a browser with privacy extensions. If you already installed it:
- Delete the app
- Revoke any location permissions you may have granted
- Check your notification settings for lingering push tokens
- If you submitted a contact form or signed up for the newsletter, that data (email, phone) is with Mailchimp
If you need to follow government news, use an encrypted DNS setup and access the website through a privacy-respecting VPN or Tails. Government apps are never the safe choice.
Sources
Frequently Asked Questions
What does the White House app actually collect?
Independent security analysis confirmed the app sends your IP address, timezone, country, device model, OS version, session count, session duration, carrier, jailbreak status, and a persistent unique identifier to OneSignal servers on every launch. The app declares zero data collection in its privacy manifest.
Does the White House app track GPS location?
The full GPS tracking pipeline is compiled into the app via OneSignal Location framework. Network traffic analysis confirmed GPS data is not currently being transmitted. However, OneSignal can remotely enable location tracking via server-side parameters without an app update or user notification.
What is the consent stripping behavior in the White House app?
The original version (v47.0.0) injected JavaScript into every webpage opened through its built-in browser to hide cookie consent banners, GDPR dialogs, login walls, and paywall elements. This was removed in v47.0.4 after the security researchers published their findings.
Who is Elfsight and why is it in the White House app?
Elfsight is a widget company originally founded in Tula, Russia, now registered in Andorra. The White House app loads live JavaScript from Elfsight servers in six separate WebViews. Elfsight uses a two-stage loader where the server decides what scripts run. There is no subresource integrity verification.
Should I install the White House app?
No. The app has no certificate pinning, loads executable code from multiple third-party servers including a Russian-origin company, contains remotely activatable GPS tracking, and files a provably false privacy manifest. Access whitehouse.gov directly through a browser with proper privacy extensions instead.