Cybersecurity researchers warn that the White House’s new app regularly shares users’ IP addresses, time zones and other data to third-party services. But most of its users wouldn’t know that, because the app doesn’t disclose its data sharing the way most others do.
The cybersecurity experts’ reviews of the app code turned up a host of issues that they say make data — for both users and some White House staffers — vulnerable. Several told NOTUS they were shocked by the slipshod approach to cybersecurity by the federal government, especially while the U.S. is engaged in war.
“The U.S. government’s infrastructure is being attacked from all sides right now, and having an amateur WordPress developer running the White House’s public presence puts everybody who visits it at risk,” Philip Fields, a cybersecurity researcher and former FBI intelligence analyst, told NOTUS. “If this were just some random app out on the App Store representing whatever small business … this would not be a story.”
“But it’s not,” Fields said. “This is the White House.”
Trending
The app ranks as the third-most downloaded news app in the Apple App Store as of Friday. The White House released the app last week, and Trump on Monday promoted it as a source for “front-row access to all news from your favorite president.” He encouraged all of his fans to download it.
A White House press release announcing the app’s launch said that it “delivers unparalleled access to the Trump administration.”
A researcher shared screenshots with NOTUS showing that Elfsight — a third-party, Russia-founded software kit company that provides premade widgets for the app — makes public the personal information of some White House staffers through the app, as of Thursday. NOTUS is not publishing further details to protect the staffers’ privacy, but it was visible because of the app’s incorporation of Elfsight.
Federal apps and websites traditionally rely on certified cloud services that meet security requirements that were designed by federal agencies and certified by Congress.
“This is why things like FedRamp and GovCloud exist,” Fields said. “They’ve already been scrutinized and determined to mitigate a lot of this type of risk.”
A representative for Elfsight did not respond to a request for comment — but the company’s email automatically sent an “AI-generated reply” in response to NOTUS’ questions about its security.
“The app owner is responsible for deciding whether and how to allow any third‑party code into their application, including the use of WebViews, content security controls, and any additional hardening they deem appropriate for a governmental context,” Elfsight’s bot wrote. “Customers should treat us as part of their broader supply chain and apply a security posture that matches their risk profile.”
In a statement, a White House official said that “Elfsight went through a full security review by White House IT and was approved for use. This is a vulnerability on Elfsight’s side – and they have been informed of it.”
The statement touted companies by name who also use the Elfsight software.
Most of the data concerns are much more sweeping and affect all users.
Because the app uses outside software for some of its functions, it collects and sends data to third parties. For example, the White House uses a vendor, OneSignal, to send push notifications. It’s a common third-party vendor for an app to use, but it requires a unique digital fingerprint that can track users across sessions. It also needs the user’s mobile carrier, phone model, network type and operating system version, as well as how long a user has been on the app and how frequently they visit it.
Jason Seeba, OneSignal’s chief marketing officer, described its data collection to NOTUS via text as being “standard across push notification platforms,” and that it is fully disclosed on the company’s website and in a privacy disclosure included with the software.
Seeba did not comment on the White House’s app specifically, but said the data picked up by OneSignal is “functional: knowing the OS version determines how to format a notification, session data and the random identifier measure delivery, and so on.”
Seeba said it’s the developers’ duty to disclose the data collection that OneSignal requires.
“Apple requires app developers to declare all data collection in their app-level privacy manifest, including data collected by third-party SDKs,” or software development kits, Seeba said in a text. “Our documentation explicitly tells developers this is their responsibility, and we provide the details they need to make those disclosures accurately.”
But several cybersecurity experts said that the data collection done by the White House is not properly disclosed in app stores. Many app marketplaces like Apple’s app store ask developers to disclose what data is collected from users — it’s generally considered to have stricter privacy policies for mobile applications than other app marketplaces, which it enforces through its “privacy manifest.”
The White House, as of its latest version released on Friday, left that privacy manifest completely blank, suggesting it collects no data from users.
One cybersecurity researcher, who asked to remain anonymous because of fear of retribution from the White House, told NOTUS that failing to disclose which data is collected usually results in apps being removed from Apple’s app store.
“It seems to be sharing quite a lot of data about the users to these third parties,” the researcher said. “The problem is that the privacy manifest says they do not share that information, but in fact they do. … That is a problem for end-user privacy because effectively, they’re misleading users about how their data is shared.”
Apple did not respond to a request for comment. Android’s app marketplace requires similar disclosures to users about what data apps collect and share. Google, which owns Android, did not respond to a request for comment.
A White House spokesperson told NOTUS that “all information on the app is safe and secure,” adding that its reliance on the third-party services it uses is “standard” for applications and that no data from users is saved.
The White House has already pushed out four updates for its Apple version to the app in the week since it’s been out. Two of those updates are due to “minor bug fixes,” developers wrote on the App Store’s version history.
“In true Trump White House fashion, their lackluster app appears to pose a cybersecurity threat to its users,” Sen. Dick Durbin, ranking member of the Senate Judiciary Committee, which reviews many tech policy issues, told NOTUS in a statement. “As this Administration continues to cut funds from [the Cybersecurity and Infrastructure Security Agency] and other agencies designed to combat cybersecurity threats, the Trump White House should focus more on protecting the American people and less on apps that may pose a threat to our national security.”
Data collection and third-party sharing are common practices in apps, but cybersecurity experts told NOTUS that any official app produced by the White House should be held to a higher standard because it is a high-profile target for cyberattacks.
“We’ve normalized living in this world where business is just, ‘I’m gonna collect your data, and I’m gonna sell it to third parties’ … But now we’re getting to the point where it’s like, now the federal government’s collecting this data and it’s sending it to third parties,” said Adam Enger, a cybersecurity researcher who analyzed the app’s code and its network activity, told NOTUS.
“Advanced state attackers are 10 miles ahead of me already. They’re watching the app for every single update, they’re comparing versions, they’re looking for one slip-up,” Enger said. “If I could find this by myself in an hour on Friday night, then how far along are our adversaries with this?”
Not all cybersecurity experts were as alarmed as Enger or Fields. Andrew Hoog, a cybersecurity expert with NowSecure, said that the way the app is coded and designed doesn’t look too different from most apps available for download. Of all the experts NOTUS spoke with for the article, he was the least concerned that it posed unique security risks to app users, but still suggested that the developers should not use Elfsight because it’s not based in the U.S.
“We see plenty of applications that have significant, egregious issues. This app could have better hygiene, but it doesn’t come close to any of those sorts of things,” Hoog said. “It really feels to me that a company that builds WordPress sites and things of that sort ended up getting this contract. … I still think an app with this kind of scrutiny absolutely would bear a high level of rigor, but I think that’s probably the most likely explanation versus something nefarious.”
The original sources of unease after the app was launched were inactive location-tracking permissions left in the app, which have since been removed in an update.
“The app’s privacy disclosures do not clearly explain the extent of third-party data collection. Users downloading an official government app would reasonably expect their data to stay within the US government systems, not flow to commercial third-party platforms,” Thereallo, a cybersecurity researcher who declined to share their legal name with NOTUS and who analyzed the Android version of the app’s code after its initial launch, said in an X direct message.
Beyond the data sharing, there are concerns about whether the developers working with the White House on the app are equipped to do such work in the first place.
Several experts told NOTUS that it appeared that the app developer was inexperienced at coding mobile applications, given its lackluster cybersecurity considerations for a high-profile government app. The app does not use any code obfuscation or certificate pinning, which makes its code and its network traffic easier to reverse engineer and find vulnerabilities.
According to internal app files reviewed by Fields and Thereallo, the app’s code states it was developed by 45Press, a website development company based in Ohio. According to public contract information, the company was awarded more than $1.4 million on Feb. 6 to support the White House’s online services.
The company’s X bio says it provides “Expert WordPress development, design, hosting, ecommerce and so much more!” But it said nothing about previous app development work.
45Press did not respond to a request for comment.
Don’t miss the stories shaping Washington.
Sign in
Log into your free account with your email. Don’t have one?
Check your email for a one-time code.
We sent a 4-digit code to . Enter the pin to confirm your account.
New code will be available in 1:00
Let’s try this again.
We encountered an error with the passcode sent to . Please reenter your email.