White House App Exposes Users to Data Theft Via Undisclosed Third Parties

The Trump White House's official app collects and shares user data with third-party vendors without proper disclosure, according to cybersecurity researchers who analyzed its code. The app's privacy manifest on Apple's App Store is blank despite the fact that it transmits IP addresses, time zones, device identifiers, and mobile carrier information to companies including OneSignal and Elfsight, a Russia-founded software vendor. Philip Fields, a cybersecurity researcher and former FBI intelligence analyst, stated that "having an amateur WordPress developer running the White House's public presence puts everybody who visits it at risk," especially while the U.S. is engaged in military conflict.

The app fails to meet federal security standards and bypasses established oversight mechanisms. Federal apps and websites are required to use certified cloud services such as FedRamp or GovCloud, which have been vetted and certified by Congress for security compliance. Instead, the White House contracted with 45Press, an Ohio-based WordPress development company with no disclosed mobile app experience, which was awarded over $1.4 million in February. The app lacks basic security protections including code obfuscation and certificate pinning, making its code and network traffic vulnerable to reverse engineering.

Data sharing with third parties violates the app's stated privacy disclosures to users. Apple's app store requires developers to declare all data collection in privacy manifests; the White House app's manifest is completely blank, falsely indicating no data collection occurs. Cybersecurity researcher Thereallo noted that "users downloading an official government app would reasonably expect their data to stay within the US government systems, not flow to commercial third-party platforms." OneSignal's chief marketing officer acknowledged the company collects functional data but stated it is Apple's responsibility to ensure developers disclose this collection accurately.

The White House defended the app's security practices, claiming third-party vendors underwent full IT review and that data sharing is "standard" for applications. However, Sen. Dick Durbin, ranking member of the Senate Judiciary Committee, criticized the administration's cybersecurity failures, stating "in true Trump White House fashion, their lackluster app appears to pose a cybersecurity threat to its users," particularly as the administration simultaneously cuts funding from cybersecurity agencies. The app ranks as the third-most downloaded news app on Apple's App Store after its launch last week, with Trump promoting it as providing "front-row access" to his administration.

The White House has deployed four updates to the app within one week of its release, with developers attributing two updates to "minor bug fixes." Initial versions included inactive location-tracking permissions that were subsequently removed. Cybersecurity expert Adam Enger warned that state-sponsored attackers possess far more sophisticated analysis capabilities than independent researchers and are actively monitoring the app for vulnerabilities, stating "if I could find this by myself in an hour on Friday night, then how far along are our adversaries with this?"

(Source: https://www.notus.org/technology/trump-white-house-app-cybersecurity)