Security Researcher Finds Significant Vulnerabilities in White House Mobile App

On March 27, 2026, the White House launched its official mobile app, billing it as delivering "unparalleled access to the Trump Administration" [1]. Within hours, security researchers had decompiled the code and began publishing findings that painted a starkly different picture: an app missing basic security measures, sharing user data with third parties undisclosed in its privacy manifest, and relying on a widget toolkit from a Russia-founded company that was reportedly exposing White House staffers' personal information [2][3].

The app has since been downloaded more than 2 million times [4]. The gap between its rapid adoption and its security posture raises pointed questions about who built it, who reviewed it, and whether any federal oversight mechanism caught — or even looked for — the problems researchers found within hours.

What Researchers Found

Multiple independent security researchers analyzed both the iOS and Android versions of the app. Their findings, published across several reports, converge on a set of core issues [2][3][5].

False Privacy Manifest. Apple requires apps to declare what data they collect through a privacy manifest. The White House app's manifest declares NSPrivacyCollectedDataTypes: [] — indicating zero data collection. In practice, the app transmits device fingerprints, IP addresses, timezone, country, device model, OS version, session count, session duration, mobile carrier, network type, and a persistent unique identifier to OneSignal, a commercial push notification service, on every launch [3][5].

No Security Hardening. Researchers found no certificate pinning (a technique that prevents network traffic interception), no code obfuscation (which makes reverse engineering harder), no jailbreak detection, no anti-tampering measures, and no anti-debugging protections. As one researcher noted, "anyone on the same Wi-Fi network can intercept API traffic with a proxy" [3].

Third-Party Script Injection via Elfsight. Six separate WebViews in the app load JavaScript from elfsightcdn.com without Subresource Integrity verification — a check that ensures loaded scripts haven't been tampered with. Elfsight, founded in Tula, Russia in 2012 and now operating from Andorra, controls what code executes in these WebViews. According to NOTUS, this integration was exposing personal information belonging to White House staffers as of early April 2026 [2][5].

Dormant but Deployable Location Tracking. The app includes OneSignal's full GPS tracking pipeline — code capable of polling device location every 4.5 minutes in the foreground and 9.5 minutes in the background. A remote parameter controller (OSRemoteParamController) can enable GPS tracking via a server-side flag, bypassing local settings and App Store review. Dynamic testing by NowSecure confirmed this feature was not active at time of analysis [3][6].

Supply Chain Risk. The original release loaded YouTube player HTML from a personal GitHub Pages account (lonelycpp.github.io). If that account were compromised, arbitrary code could be served to every app user. This was patched in version 47.0.4 [3].

Source: atomic.computer network traffic analysis

Data as of Mar 27, 2026CSV

Network traffic analysis found that 77% of the app's requests go to third-party services rather than whitehouse.gov [3].

Who Built It

The app was developed by 45Press, an Ohio-based company that describes itself as providing "Expert WordPress development, design, hosting, ecommerce and so much more" [2][7]. The company was awarded a contract on February 6, 2026, with an action obligation of approximately $1.4 million and a total contract value of $8.4 million for web hosting and development services supporting the White House's online presence [2]. Eleven companies competed for the contract.

45Press has no publicly listed mobile app development experience. The app is built with React Native and uses Expo, a framework that simplifies cross-platform mobile development but also introduces additional third-party dependencies. As Philip Fields, a former FBI intelligence analyst turned cybersecurity researcher, told NOTUS: "The U.S. government's infrastructure is being attacked from all sides right now, and having an amateur WordPress developer" build this app compounds the risk [2].

Whether the contract explicitly required compliance with NIST SP 800-163 (the federal standard for mobile application security vetting) or FISMA mobile security standards is not publicly known. Federal IT contracts typically incorporate FISMA requirements, but the specific security obligations imposed on 45Press have not been disclosed.

The Disclosure Timeline

The disclosure timeline was unusually compressed [3]:

Source: Compiled from NOTUS, atomic.computer, NowSecure reporting

Data as of May 1, 2026CSV

• February 6, 2026: 45Press awarded the contract.
• March 27, 2026: App launched publicly. Security researcher "Thereallo" published an analysis the same day. Findings were reported to CISA.
• March 30, 2026: Version 47.0.4 released, removing consent-stripping JavaScript injection, downgrading always-on location permission to when-in-use, and redirecting the YouTube player away from the personal GitHub account.
• April 3, 2026: NOTUS publishes a detailed investigation. Multiple experts provide assessments.

The three-day turnaround between initial publication and the first patch suggests the development team was responsive to the most visible issues. However, as of the latest available version, the privacy manifest remained empty, all Elfsight widgets continued loading from Elfsight-controlled infrastructure, all ten OneSignal frameworks remained present, and no certificate pinning or security hardening had been added [3].

This does not conform to the 90-day coordinated disclosure standard used in the industry. Researchers published findings immediately — in some cases, the same day the app launched — rather than providing a private disclosure window. This approach is controversial: it provides immediate public accountability but also gives potential attackers simultaneous access to vulnerability details.

The White House Response

The administration stated that "all information on the app is safe and secure" and that reliance on third-party services is "standard" for applications, with "no user data retained" [2]. Regarding the Elfsight integration, a spokesperson said it "went through a full security review by White House IT and was approved for use" [2].

The Steelman Case: Is This Less Alarming Than It Sounds?

Andrew Hoog, a mobile security expert at NowSecure, provided the most measured counterpoint. After conducting dynamic testing (observing what the app actually does in real-time, as opposed to static analysis of what it theoretically could do), Hoog concluded: "The app behaves like most modern mobile applications" and "doesn't present an unusual risk to users" [6].

His key arguments:

1. Static vs. dynamic analysis distinction. The presence of location-tracking code in the OneSignal SDK does not mean location tracking is occurring. "Static analysis shows what an app can do. Dynamic testing shows what it actually does" [6].

2. OS-level protections. Even if location features were enabled server-side, "the user would still need to explicitly grant permission at the OS level before any location data could be accessed" [6].

3. Industry norms. The patterns observed — SDK usage, configurable features, third-party integrations — "are common across modern mobile applications" [6].

4. Likely explanation over conspiracy. Hoog suggested that "a company that builds WordPress sites and things of that sort ended up getting this contract," noting that while the app deserves higher rigor given its profile, "this explanation seemed more likely than something nefarious" [6].

This framing matters. Many consumer apps share similar amounts of data with third-party analytics and notification services. The question is whether the White House — which is a high-value target for foreign intelligence services — should be held to the same standard as a restaurant's loyalty app.

Privacy Implications for 2 Million Users

The app collected data from over 2 million users within its first two weeks [4]. The categories of data transmitted to third parties include: IP addresses, timezone, country, device model, OS version, mobile carrier, network type, session counts, session duration, and persistent unique identifiers [2][3].

The blank privacy manifest creates a specific legal tension. Apple's App Store guidelines require accurate privacy disclosures. Under the federal Privacy Act of 1974, agencies must publish system of records notices for collections of personally identifiable information. Whether data collected by a third-party SDK on behalf of the Executive Office of the President triggers Privacy Act obligations is an open legal question — but the blank manifest means users cannot make informed consent decisions regardless [2][5].

Push notification tokens, which OneSignal manages, are themselves sensitive. They can be used to fingerprint devices across sessions and, if exposed, could enable targeted push notification spoofing.

Federal Oversight: Who Is Watching?

The federal government's mobile app security oversight landscape is fragmented. CISA is responsible for securing federal civilian networks. The Office of Management and Budget (OMB) sets FISMA policy. GSA's Technology Transformation Services provides some app development guidance. But no single office has a clear mandate to pre-audit executive branch public-facing mobile applications before they reach consumers [8].

The GAO has repeatedly flagged federal cybersecurity gaps. Since 2010, it has made over 1,600 cybersecurity-related recommendations to federal agencies; as of May 2024, 567 of those remained unimplemented [8]. However, GAO's work has focused primarily on internal systems and critical infrastructure rather than public-facing consumer apps.

The UK provides a contrast. In October 2023, the UK government published a Code of Practice for app store operators and developers, setting minimum security and privacy requirements and establishing vulnerability disclosure standards [9]. No equivalent U.S. federal mandate applies specifically to government-published apps.

Precedents: Federal App and Data Security Failures

The White House app situation exists within a pattern of federal mobile and data security incidents:

• Pentagon travel system breach (2018): A commercial vendor managing DoD travel services exposed personal information and credit card data for up to 30,000 military and civilian personnel [10].
• Pentagon unauthorized app use (2023): A Bloomberg investigation found Pentagon personnel routinely using unauthorized apps — including dating, gaming, and encrypted messaging apps — on government devices, violating security policies [11].
• TSA no-fly list exposure (2023): TSA data including portions of the no-fly list was found on an unsecured server belonging to a regional airline contractor [12].
• Signal group chat leak (2025): Senior administration officials inadvertently included a journalist in a Signal group discussion of military operations, prompting a Pentagon memo warning that Signal itself was being targeted by hackers [13].

In none of these cases did the responsible agency face formal sanctions. GAO recommendations were issued; IG reports were published; policies were updated. But no federal office has publicly penalized an agency for a mobile app security failure. This absence of enforcement is, arguably, the systemic story beneath the individual findings.

What Remains Unresolved

Several questions remain without clear public answers. No formal CVSS severity scores have been assigned to the findings, partly because the vulnerabilities are architectural weaknesses and design choices rather than discrete software bugs with clean exploit paths. CISA received the disclosure on launch day but has not publicly commented on its assessment or any remediation timeline. The contract's specific security requirements remain undisclosed.

The core tension is straightforward: an app published by the most targeted office in the U.S. government was built without security measures that independent researchers identified as missing within hours of its release. Whether that represents a procurement failure, an oversight gap, or an acceptable risk for a consumer-facing news app depends on where one draws the line between government software and government infrastructure.

As Fields put it: "If this were just some random app...this would not be a story. But it's not. This is the White House" [2].