{"id":201966,"date":"2026-04-03T14:16:00","date_gmt":"2026-04-03T18:16:00","guid":{"rendered":"https:\/\/testing.news-you-need.com\/index.php\/2026\/04\/03\/the-white-house-app-is-riddled-with-cybersecurity-vulnerabilities\/"},"modified":"2026-04-03T14:20:18","modified_gmt":"2026-04-03T18:20:18","slug":"the-white-house-app-is-riddled-with-cybersecurity-vulnerabilities","status":"publish","type":"post","link":"https:\/\/testing.news-you-need.com\/index.php\/2026\/04\/03\/the-white-house-app-is-riddled-with-cybersecurity-vulnerabilities\/","title":{"rendered":"The White House App Is Riddled With Cybersecurity Vulnerabilities"},"content":{"rendered":"

The White House App Is Riddled With Cybersecurity Vulnerabilities<\/a><\/p>\n

https:\/\/www.notus.org\/technology\/trump-white-house-app-cybersecurity<\/a><\/p>\n

Publish Date: 2026-04-03 14:16:00<\/a><\/p>\n

Source Domain: www.notus.org<\/a><\/p>\n

Author: <\/a><\/p>\n

Using an unordered list, summarize the following article with between 4 and 8 key points.
\n Cybersecurity researchers warn that the White House\u2019s new app regularly shares users\u2019 IP addresses, time zones and other data to third-party services. But most of its users wouldn\u2019t know that, because the app doesn\u2019t disclose its data sharing the way most others do.The cybersecurity experts\u2019 reviews of the app code turned up a host of issues that they say make data \u2014 for both users and some White House staffers \u2014 vulnerable. Several told NOTUS they were shocked by the slipshod approach to cybersecurity by the federal government, especially while the U.S. is engaged in war.<\/p>\n

\u201cThe U.S. government\u2019s infrastructure is being attacked from all sides right now, and having an amateur WordPress developer running the White House\u2019s public presence puts everybody who visits it at risk,\u201d Philip Fields, a cybersecurity researcher and former FBI intelligence analyst, told NOTUS. \u201cIf this were just some random app out on the App Store representing whatever small business \u2026 this would not be a story.\u201d\u201cBut it\u2019s not,\u201d Fields said. \u201cThis is the White House.\u201d<\/p>\n

The app ranks as the third-most downloaded news app in the Apple App Store as of Friday. The White House released the app last week, and Trump on Monday promoted it as a source for \u201cfront-row access to all news from your favorite president.\u201d He encouraged all of his fans to download it.A White House press release announcing the app\u2019s launch said that it \u201cdelivers unparalleled access to the Trump administration.\u201dA researcher shared screenshots with NOTUS showing that Elfsight \u2014 a third-party, Russia-founded software kit company that provides premade widgets for the app \u2014 makes public the personal information of some White House staffers through the app, as of Thursday. NOTUS is not publishing further details to protect the staffers\u2019 privacy, but it was visible because of the app\u2019s incorporation of Elfsight.Federal apps and websites traditionally rely on certified cloud services that meet security requirements that were designed by federal agencies and certified by Congress.<\/p>\n

\u201cThis is why things like FedRamp and GovCloud exist,\u201d Fields said. \u201cThey\u2019ve already been scrutinized and determined to mitigate a lot of this type of risk.\u201dA representative for Elfsight did not respond to a request for comment \u2014 but the company\u2019s email automatically sent an \u201cAI-generated reply\u201d in response to NOTUS\u2019 questions about its security.\u201cThe app owner is responsible for deciding whether and how to allow any third\u2011party code into their application, including the use of WebViews, content security controls, and any additional hardening they deem appropriate for a governmental context,\u201d Elfsight\u2019s bot wrote. \u201cCustomers should treat us as part of their broader supply chain and apply a security posture that matches their risk profile.\u201dMost of the data concerns are much more sweeping and affect all users.Because the app uses outside software for some of its functions, it collects and sends data to third parties. For example, the White House uses a vendor, OneSignal, to send push notifications. It\u2019s a common third-party vendor for an app to use, but it requires a unique digital fingerprint that can track users across sessions. It also needs the user\u2019s mobile carrier, phone model, network type and operating system version, as well as how long a user has been on the app and how frequently they visit it.Jason Seeba, OneSignal\u2019s chief marketing officer, described its data collection to NOTUS via text as being \u201cstandard across push notification platforms,\u201d and that it is fully disclosed on the company\u2019s website and in a privacy disclosure included with the software.<\/p>\n

Seeba did not comment on the White House\u2019s app specifically, but said the data picked up by OneSignal is \u201cfunctional: knowing the OS version determines how to format a notification, session data and the random identifier measure delivery, and so on.\u201dSeeba said it\u2019s the developers\u2019 duty to disclose the data collection that OneSignal requires.\u201cApple requires app developers to declare all data collection in their app-level privacy manifest, including data collected by third-party SDKs,\u201d or software development kits, Seeba said in a text. \u201cOur documentation explicitly tells developers this is their responsibility, and we provide the details they need to make those disclosures accurately.\u201dBut several cybersecurity experts said that the data collection done by the White House is not properly disclosed in app stores. Many app marketplaces like Apple\u2019s app store ask developers to disclose what data is collected from users \u2014 it\u2019s generally considered to have stricter privacy policies for mobile applications than other app marketplaces, which it enforces through its \u201cprivacy manifest.\u201dThe White House, as of its latest version released on Friday, left that privacy manifest completely blank, suggesting it collects no data from users.One cybersecurity researcher, who asked to remain anonymous because of fear of retribution from the White House, told NOTUS that failing to disclose which data is collected usually results in apps being removed from Apple\u2019s app store.<\/p>\n

\u201cIt seems to be sharing quite a lot of data about the users to these third parties,\u201d the researcher said. \u201cThe problem is that the privacy manifest says they do not share that information, but in fact they do. \u2026 That is a problem for end-user privacy because effectively, they\u2019re misleading users about how their data is shared.\u201dApple did not respond to a request for comment. Android\u2019s app marketplace requires similar disclosures to users about what data apps collect and share. Google, which owns Android, did not respond to a request for comment.A White House spokesperson told NOTUS that \u201call information on the app is safe and secure,\u201d adding that its reliance on the third-party services it uses is \u201cstandard\u201d for applications and that no data from users is saved.The White House has already pushed out four updates for its Apple version to the app in the week since it\u2019s been out. Two of those updates are due to \u201cminor bug fixes,\u201d developers wrote on the App Store\u2019s version history.\u201cIn true Trump White House fashion, their lackluster app appears to pose a cybersecurity threat to its users,\u201d Sen. Dick Durbin, ranking member of the Senate Judiciary Committee, which reviews many tech policy issues, told NOTUS in a statement. \u201cAs this Administration continues to cut funds from [the Cybersecurity and Infrastructure Security Agency] and other agencies designed to combat cybersecurity threats, the Trump White House should focus more on protecting the American people and less on apps that may pose a threat to our national security.\u201dData collection and third-party sharing are common practices in apps, but cybersecurity experts told NOTUS that any official app produced by the White House should be held to a higher standard because it is a high-profile target for cyberattacks.<\/p>\n

\u201cWe\u2019ve normalized living in this world where business is just, \u2018I\u2019m gonna collect your data, and I\u2019m gonna sell it to third parties\u2019 \u2026 But now we\u2019re getting to the point where it\u2019s like, now the federal government\u2019s collecting this data and it\u2019s sending it to third parties,\u201d said Adam Enger, a cybersecurity researcher who analyzed the app\u2019s code and its network activity, told NOTUS.\u201cAdvanced state attackers are 10 miles ahead of me already. They\u2019re watching the app for every single update, they\u2019re comparing versions, they\u2019re looking for one slip-up,\u201d Enger said. \u201cIf I could find this by myself in an hour on Friday night, then how far along are our adversaries with this?\u201dNot all cybersecurity experts were as alarmed as Enger or Fields. Andrew Hoog, a cybersecurity expert with NowSecure, said that the way the app is coded and designed doesn\u2019t look too different from most apps available for download. Of all the experts NOTUS spoke with for the article, he was the least concerned that it posed unique security risks to app users, but still suggested that the developers should not use Elfsight because it\u2019s not based in the U.S.\u201cWe see plenty of applications that have significant, egregious issues. This app could have better hygiene, but it doesn\u2019t come close to any of those sorts of things,\u201d Hoog said. \u201cIt really feels to me that a company that builds WordPress sites and things of that sort ended up getting this contract. \u2026 I still think an app with this kind of scrutiny absolutely would bear a high level of rigor, but I think that\u2019s probably the most likely explanation versus something nefarious.\u201dThe original sources of unease after the app was launched were inactive location-tracking permissions left in the app, which have since been removed in an update.\u201cThe app\u2019s privacy disclosures do not clearly explain the extent of third-party data collection. Users downloading an official government app would reasonably expect their data to stay within the US government systems, not flow to commercial third-party platforms,\u201d Thereallo, a cybersecurity researcher who declined to share their legal name with NOTUS and who analyzed the Android version of the app\u2019s code after its initial launch, said in an X direct message.<\/p>\n

Beyond the data sharing, there are concerns about whether the developers working with the White House on the app are equipped to do such work in the first place.Several experts told NOTUS that it appeared that the app developer was inexperienced at coding mobile applications, given its lackluster cybersecurity considerations for a high-profile government app. The app does not use any code obfuscation or certificate pinning, which makes its code and its network traffic easier to reverse engineer and find vulnerabilities.According to internal app files reviewed by Fields and Thereallo, the app\u2019s code states it was developed by 45Press, a website development company based in Ohio. According to public contract information, the company was awarded more than $1.4 million on Feb. 6 to support the White House\u2019s online services.The company\u2019s X bio says it provides \u201cExpert WordPress development, design, hosting, ecommerce and so much more!\u201d But it said nothing about previous app development work.45Press did not respond to a request for comment.<\/p>\n

<\/p>\n","protected":false},"excerpt":{"rendered":"

The White House App Is Riddled With Cybersecurity Vulnerabilities https:\/\/www.notus.org\/technology\/trump-white-house-app-cybersecurity Publish Date: 2026-04-03 14:16:00 Source…<\/p>\n","protected":false},"author":1,"featured_media":201967,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/static.notus.org\/dims4\/default\/5aaa1c4\/2147483647\/strip\/true\/crop\/2706x1522+0+141\/resize\/1440x810!\/quality\/90\/?url=https%3A%2F%2Fk2-prod-aji.s3.us-east-1.amazonaws.com%2Fbrightspot%2F7a%2Ffb%2F0866f70047d7bdf5f2cad04e78ad%2Fap25143680934955.jpg","fifu_image_alt":"","footnotes":""},"categories":[15],"tags":[26,24],"class_list":["post-201966","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","tag-ai","tag-cybersecurity"],"_links":{"self":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/201966"}],"collection":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/comments?post=201966"}],"version-history":[{"count":1,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/201966\/revisions"}],"predecessor-version":[{"id":201968,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/201966\/revisions\/201968"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/media\/201967"}],"wp:attachment":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/media?parent=201966"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/categories?post=201966"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/tags?post=201966"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}