The President’s App Can Be Worse Than Yours

The federal government has substantial sovereign immunity. That means that the government can’t be sued without its permission. Private companies don’t have that kind of protection. That distinction is worth keeping in mind as you read this.

On March 27, 2026, the White House released an official mobile app. Within hours, two independent security researchers — one posting under the handle Thereallo¹ and one from Atomic Computer Services² — had decompiled both the Android APK and the iOS binary and published their findings. They worked independently and reached many of the same conclusions. That kind of overlap tells us that the same decisions went into both packages. And, what they found is the kind of thing that can get a private company sued.

The Findings

Let’s look at what the researchers actually found in the code.

The app is a content portal that uses GPS tracking.

The Android APK includes OneSignal’s full location-tracking framework. The polling intervals are hardcoded to 4.5 minutes in the foreground and 9.5 minutes in the background.³ The iOS binary requests location access even when the app is not in use and includes the same location framework symbols.⁴

Why does that matter? Because the app is a news reader. It serves articles, live streams, photo galleries, and policy pages. There is no map, no local content feature, no geofencing, and no weather. There is no feature in the app that would justify collecting your GPS coordinates every 4.5 minutes.

Now, the tracking is not unconditionally active. Three conditions must be met: a software flag must be set to true, the user must grant location permission at the OS level, and the device must have a location provider.⁵ Whether the JavaScript layer currently sets that flag could not be determined from the compiled code alone, but the research shows that the entire infrastructure is present, operational, and one function call away from running.

The app told Apple it collects nothing. The code says otherwise.

Apple requires apps using third-party SDKs to file a privacy manifest⁶ — a formal disclosure of what data the app collects — for use in the App Store’s privacy nutrition labels. The White House app’s manifest declares an empty data collection array and sets the tracking flag to false.⁷

The compiled app actually vacuums up GPS coordinates, device identifiers, behavioral analytics, session data, notification engagement records, and user identity data.⁸ Apple’s App Store Review Guidelines require that the manifest accurately reflect how the app collects data.⁹ This one clearly does not meet that standard.

Their stated privacy policy doesn’t help matters, either. Apple links the App Store app to the White House’s “Privacy Policy” page at https://www.whitehouse.gov/privacy/. But that page was obviously written for the White House’s website, not this app. There is no discussion there of what the app does. The App Store assures you that, while it collects your contact information for marketing purposes, it doesn’t link that information to … you.

Injected JavaScript takes away your ability to choose.

Every page loaded in the app’s in-app browser receives an injected JavaScript snippet before rendering. That snippet hides cookie consent banners, GDPR notices, OneTrust popups, privacy banners, login walls, signup walls, and paywall elements.¹⁰ It also sets up an observer that runs continuously, watching for any consent elements added dynamically after load and suppressing them.¹¹

The researchers found this script in the Hermes bytecode string table and confirmed it on the native side. This is not an accident or a side effect — it is a deliberate targeting of consent infrastructure.

Think about what that means from a legal standpoint. The app is systematically stripping the consent mechanisms from third-party websites on behalf of its users, without those websites’ knowledge or agreement. U.S. law has relatively little to say about this directly. European law has quite a bit more to say, as we’ll get to below.

Third-party code runs within the app without verification.

Six social media widgets from a company with Russian Federation origins, Elfsight, load JavaScript at runtime from Elfsight’s CDN. The loaded script runs in two stages: first, it pulls a server response, then it dynamically injects additional scripts. Because the scripts are loaded directly from Elfsight’s CDN servers, they can change which code executes in the app at any time, without requiring an app update or an App Store review.¹²

The app ships code from a company on the U.S. Entity List.

The Exodus Privacy static analysis of the Android APK identifies Huawei Mobile Services (HMS) Core as present in the build.¹³ HMS Core is developed by and is a product of Huawei Technologies Co., Ltd.¹⁴ That entity is listed on the Commerce Department’s Entity List¹⁵ — the formal U.S. government register of companies subject to export restrictions on national security and foreign policy grounds.¹⁶ The original designation, made in May 2019, carries a presumption of denial on export license applications and has been amended nine times since.¹⁷

The national security concerns underlying that designation were not new in 2019. In February 2018 (during the first Trump administration), the heads of six U.S. intelligence agencies — including the CIA, FBI, NSA, and the Director of National Intelligence — testified before the Senate Intelligence Committee that they would not recommend Americans use Huawei products or services. Former FBI Director Christopher Wray stated they were “deeply concerned about the risks of allowing any company or entity that is beholden to foreign governments that don’t share our values to gain positions of power inside our telecommunications networks.”¹⁸ The Entity List designation followed fifteen months later.

HMS Core is almost a technical prerequisite for distribution on Huawei’s AppGallery — the platform Huawei built specifically because the Entity List designation cut it off from the Google ecosystem, so all of its phones use it.¹⁹ A search of AppGallery confirms the White House app is not currently listed there.²⁰ The HMS integration is present in the build regardless. Whether that reflects a developer oversight, a compatibility decision, or an intent to distribute through the app through Huawei’s platform as a propaganda vehicle at some point is not something the code can answer. What the code establishes is that the Executive Office of the President released an official government application containing an SDK from a company that the U.S. government has formally designated a national security concern.

The Legal Exposure for Private Companies

A private-sector company that shipped an application with these characteristics could face meaningful regulatory and litigation risk on several fronts.

Disclosure mismatches are the core problem. A privacy policy that describes a website but governs a mobile application collecting GPS coordinates, biometric hardware access, device identifiers, and behavioral analytics is not a compliant disclosure. The FTC has pursued enforcement actions under Section 5 of the FTC Act against companies whose privacy representations materially misrepresented their actual data collection practices.²¹ A privacy manifest that says “there’s nothing at all to see here, move along,” while the app ships with several analytics packages and allows the programmer to change the user’s privacy settings without their active participation is not a gray area.

This is not anything new. I covered the mechanics of privacy policy gaps in an earlier post on Privacy Statements vs. Reality.²² The White House app is a vivid example of the problem in the wild.

Location data carries heightened obligations. Several states treat precise geolocation data as sensitive personal information subject to additional requirements. Under the CPRA, sensitive personal information — including precise geolocation — is subject to opt-out rights and restrictions on use.²³ Washington’s My Health MY Data Act covers geolocation data that could be used to infer health-related information, including visits to certain locations.²⁴ The Texas Data Privacy and Security Act classifies precise geolocation data as “sensitive data.”²⁵ Collecting precise GPS coordinates continuously in the background, without a disclosed purpose tied to any app functionality, is the kind of collection that draws regulatory attention.

Consent bypass as a distinct theory of liability. The injected JavaScript suppresses cookie consent dialogs and GDPR notices on third-party websites. From a U.S. perspective, cookie consent banners are largely a website operator’s internal governance mechanism rather than a legal right afforded to app users. The EU framing is different: consent banners under the ePrivacy Directive are the mechanism through which websites obtain legally required consent for tracking.²⁶ An application that systematically destroys that mechanism on behalf of its users — and does so programmatically, across all external sites, without the user’s express consent and the website operator’s knowledge or agreement — is doing something that European regulators would find interesting. For a private company with European operations or European users, this is not a theoretical problem.

Supply chain liability. When a third-party SDK collects data within your application, that data collection is treated as your data for most privacy laws. You are responsible for disclosing it, governing it, and ensuring that your agreements with the SDK vendor comply with applicable data processing requirements.²⁷ An app that loads live, modifiable JavaScript from a foreign CDN with no integrity verification is an app whose data collection practices are partially defined by whoever controls that CDN at any given moment. For a private company, the fact that you didn’t write the code that collected the data is not a defense.

Nothing is Hidden

Here is something worth sitting with: neither researcher needed special access to find any of this.

They downloaded a free app from the App Store and Google Play. What followed was decompilation and static analysis using freely available tools — JADX to reconstruct the source from Android bytecode, and standard macOS utilities to inspect the iOS binary. No privileged access, no traffic interception, no authentication bypass, nothing was used or done that isn’t standard practice in security research. The Hermes bytecode, the AndroidManifest, the Expo config, and the compiled SDK list — all of it was easily accessible to researchers who knew what they were doing and had the tools to do so.

Your app is equally readable.

If you have not recently conducted a privacy-focused review of your mobile applications, the questions to ask are pretty straightforward. What SDKs are compiled into your builds, and do your privacy disclosures account for all of them? What permissions are declared in your manifests and your App Store privacy manifests — and do those match what the app actually requests at runtime? Were your privacy policies written for a website and never updated when you shipped an app? Do they reflect what your app does today, not what you thought it would do at launch?

The White House app was built by a company incorporated nine days before launch.²⁸ That timeline shows in the code. These are the kinds of things almost any half-decent QA process would catch almost immediately. But the compliance failures described above — the mismatched disclosures, the undisclosed third-party data flows, the collection without purpose limitation — are not unique to rushed government contractors. They show up regularly across the commercial app ecosystem, sometimes in companies with real compliance programs and real lawyers, because developers were so preoccupied with whether or not they could, that they didn’t stop to think if they could.²⁹

The sovereign immunity shields the federal government from the legal consequences of poor choices is not available to your company. A review of your mobile app’s data collection practices and the disclosures that are supposed to govern them is worth doing before someone else does it for you.

Footnotes

1. Thereallo, I Decompiled the White House’s New App, Thereallo (Mar. 28, 2026), http://thereallo.dev/blog/decompiling-the-white-house-app. ↩︎
2. Atomic Computer Services, Security Analysis of the Official White House iOS App, atomic.computer (Mar. 27, 2026), https://www.atomic.computer/blog/white-house-app-security-analysis/. ↩︎
3. Thereallo, supra note 1 (citing LocationConstants.java: FOREGROUND_UPDATE_TIME_MS = 270000; BACKGROUND_UPDATE_TIME_MS = 570000). ↩︎
4. Atomic Computer Services, supra note 2 (citing NSLocationAlwaysAndWhenInUseUsageDescription in Info.plist and symbol analysis of OneSignalLocation.framework). ↩︎
5. Thereallo, supra note 1 (identifying three activation gates: 1. The _isShared flag, 2. Android runtime location permission, and 3. presence of a location provider). ↩︎
6. Apple Inc., Reference, Third-Party SDK Requirements, Developer Support, https://developer.apple.com/support/third-party-SDK-requirements/ (last visited Mar. 30, 2026). ↩︎
7. Atomic Computer Services, supra note 2 (Finding 3). ↩︎
8. Id. (comparing NSPrivacyCollectedDataTypes: [] in PrivacyInfo.xcprivacy against binary and framework analysis showing GPS coordinates, device identifiers, behavioral analytics, session data, notification engagement, and user identity data). ↩︎
9. Apple Inc., Reference, App Review Guidelines, Apple Developer, https://developer.apple.com/app-store/review/guidelines/#data-collection-and-storage (last visited Mar. 30, 2026). ↩︎
10. Thereallo, supra note 1 (Consent/Paywall Bypass Injector); Atomic Computer Services, supra note 2 (Finding 5). ↩︎
11. Thereallo, supra note 1 (reproducing injected JavaScript from Hermes bytecode string table and confirming via RNCWebViewManagerImpl.java and RNCWebView.java). ↩︎
12. Atomic Computer Services, supra note 2 (citing Tracxn company profile for Elfsight as starting in Tula, Russia, but subsequently redomiciling to Andorra and analyzing platform.js two-stage loader and absence of Subresource Integrity hashes). ↩︎
13. εxodus, Report for Gov.Whitehouse.App 47.0.4, https://reports.exodus-privacy.eu.org/en/reports/722861/ (last visited Mar. 30, 2026). ↩︎
14. Huawei Mobile Services, Wikipedia, https://en.wikipedia.org/w/index.php?title=Huawei_Mobile_Services&oldid=1343856094 (last visited Mar. 30, 2026). ↩︎
15. Pt. 744, Supp. No. 4. ↩︎
16. Changji Esquel Textile Co. Ltd. v. Raimondo, 40 F. 4th 716, 720 (D.C. Cir. 2022). ↩︎
17. Original designation: 84 Fed. Reg. 22,963 (May 21, 2019). Subsequent amendments: 84 Fed. Reg. 43,495; 85 Fed. Reg. 29,853; 85 Fed. Reg. 36,720; 85 Fed. Reg. 51,603; 86 Fed. Reg. 71,559; 87 Fed. Reg. 6,026; 87 Fed. Reg. 8,182; 87 Fed. Reg. 21,012; 87 Fed. Reg. 55,250. ↩︎
18. Sara Salinas, News, Six Top US Intelligence Chiefs Caution against Buying Huawei Phones, CNBC, https://www.cnbc.com/2018/02/13/chinas-hauwei-top-us-intelligence-chiefs-caution-americans-away.html (last visited Mar. 30, 2026). ↩︎
19. Huawei AppGallery, Wikipedia, https://en.wikipedia.org/w/index.php?title=Huawei_AppGallery&oldid=1342254869 (last visited Mar. 30, 2026) (noting AppGallery was built as a direct consequence of the Entity List designation cutting Huawei off from Google Mobile Services and the Google Play Store). ↩︎
20. AppGallery Search Results for “The White House”, appgallery.huawei.com (visited Mar. 30, 2026), archived at https://web.archive.org/web/20260330170305/https://appgallery.huawei.com/search/The%20White%20House. ↩︎
21. 15 U.S.C. § 45(a). See, e.g., In re Facebook, Inc., FTC File No. 182-3109 (2019) (alleging misrepresentation of data collection practices and violation of prior consent order, resulting in $5 billion penalty). ↩︎
22. Mickey Chandler, Privacy Statements vs. Reality: Mind the Gap, Spamtacular (Feb. 14, 2025), https://www.spamtacular.com/2025/02/14/privacy-statements-vs-reality-mind-the-gap/. ↩︎
23. Cal. Civ. Code § 1798.121(a); 11 Cal. Code Regs. § 7027(m)(1). ↩︎
24. Wash. Rev. Code § 19.372 ↩︎
25. Tex. Bus. & Com. Code § 541.001(29). ↩︎
26. Directive 2009/136/EC (ePrivacy), Sec. 66. ↩︎
27. Cal. Civ. Code § 1798.140(ag)(2); Regulation (EU) 2016/679 (GDPR), art. 28. ↩︎
28. Dev Forty Five LLC, Utah Division of Corporations and Commercial Code Business Registration, Entity No. 14674165-0160, filed Mar. 18, 2026 (last updated 3/18/2026 5:58:20 PM) (listing “Ty Nielson” at an address identified in online databases as a single-family residence as registered agent); see also Bernadette B. Tixon, Trump’s White House App Earns a Community Note Days After Launch Over GPS Tracking Claims, International Business Times UK, https://www.ibtimes.co.uk/white-house-app-privacy-concerns-1789060 (last visited Mar. 30, 2026). ↩︎
29. Jurassic Park (dir. Steven Spielberg, 1993) at 36:08 (Dr. Ian Malcolm: “Yeah. Yeah. But your scientists were so preoccupied with whether or not they could they didn’t stop to think if they should.”). ↩︎

Disclaimer: This post is for informational and educational purposes only and does not constitute legal advice. Nothing here creates an attorney-client relationship. For guidance specific to your organization, contact a qualified privacy attorney.