- An analysis of the official White House app has revealed some worrying features
- The app is capable of blocking cookie consent options, GDPR banners, and paywalls.
- The app can track the user’s precise location every 4.5 minutes and sends user data to non-governmental infrastructure.
A security researcher decompiled the new official White House app for Android that was released in March 2026 and found some worrying features hidden inside.
Web developer Thereallo analyzed the app’s APK in a blog post and found that it is capable of injecting code into third-party websites to hide cookie consent pop-ups, GDPR banners, paywalls, and more.
It can also track your precise GPS location every 4.5 minutes, extract code from unsecured non-governmental infrastructure, and provide highly invasive profiles of each user.
Article continues below.
‘A direct line to the White House’
When the White House launched the new app, it said it “gives Americans a direct line to the White House,” but it seems more likely that the opposite is true.
Hidden within the WebView used to open external websites is a JavaScript snippet that has the ability to hide some pretty vital information that is normally displayed when you visit a website.
“An official US government application is injecting CSS and JavaScript into third-party websites to remove their cookie consent dialogs, GDPR banners, login gates, and paywalls,” Thereallo explained.
Blocking these core website features means that users subject to GDPR or state privacy laws cannot exercise their legal right to opt out of tracking. Additionally, by bypassing paywalls, the US government gives users the ability to access content that is normally protected by a paywall.
The Google Play Store listing indicates that the app can request coarse and precise location data, and Thereallo notes that the app requests location permission at runtime and that the app contains an Expo plugin intended to eliminate location tracking. But the app is based on the OneSignal SDK location tracking code.
Therefore, the app can collect accurate location tracking information every 4.5 minutes when the app is active and every 9.5 minutes when the app is running in the background. While this tracking is not active by default, the entire process can be activated with a single command.
As Thereallo points out, “the infrastructure is there, ready to go, and the JS API is referenced in the package to enable it.” So while the app may not necessarily be tracking you today, it has the potential to activate at any time in the future.
OneSignal is also used to collect profile data for each user. “Your location, your notification interactions, the clicks on your in-app messages, your phone number if you provide it, your tags, your status changes. It all goes to OneSignal’s servers,” Thereallo notes.
Additionally, the app also relies on code from a random GitHub account to embed YouTube videos. Thereallo notes that if this account is ever compromised, the perpetrator could “send arbitrary HTML and JavaScript to all users of this app.”
The app also loads third-party code without proper security infrastructure, sends its data to non-governmental infrastructure, and has no certificate pinning.
“Is any of this illegal? Probably not. Is it what you would expect from an official government app? Probably not either,” Thereallo concludes.
An app billed as a one-stop shop for news and media directly from the White House functions instead as a highly granular user profiling, tracking and marketing tool. It is important to note that Thereallo’s analysis was performed immediately after the app was released and therefore features may have been modified, added or removed.
TechRadar Pro reached out to the White House for comment but did not immediately receive a response.
The best identity theft protection for every budget
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds.
