The Trump administration's official White House app has security holes so basic that cybersecurity researchers found them in about an hour of poking around on a Friday night.

Let's start with the basics: the app collects user IP addresses, time zones, device information, and usage patterns, then shares that data with third parties. That's not necessarily unusual for mobile apps, but it is unusual for the privacy manifest on Apple's App Store to be completely blank despite collecting all that data.

Apple typically rejects apps that don't properly disclose data collection. Somehow, the White House app got a pass.

What security researchers found

Philip Fields, a cybersecurity researcher and former FBI analyst, called it "amateurish" work. Adam Enger discovered multiple vulnerabilities in one hour. Andrew Hoog from NowSecure noted the app has poor security "hygiene."

The app lacks code obfuscation and certificate pinning—basic protective measures against reverse engineering and man-in-the-middle attacks. It doesn't meet FedRamp or GovCloud compliance standards that federal applications are supposed to follow.

And here's the part that should really worry people: the app incorporates Elfsight, a Russia-founded software company, which ended up exposing some White House staff personal information through public visibility.

The vendor problem

The app was built by 45Press, a WordPress company with no apparent prior experience building mobile applications, let alone high-profile government apps. This is like hiring a graphic designer to build your nuclear reactor control system because they both involve computers.

Government procurement is broken in ways that let this happen. The vendors who know how to navigate the contracting process aren't necessarily the vendors who know how to build secure software. And the political appointees making purchasing decisions often don't have the technical background to evaluate security claims.

I've seen this pattern in startups too—"someone's nephew knows mobile development"—but the stakes there are a lot lower than an official government communications app.

What's actually at risk

The White House app isn't handling classified information or nuclear codes. It's mostly a content delivery vehicle for official announcements and a way for citizens to submit messages to the administration.

But it's also an official government app that users trust. People downloading it expect it to meet basic security standards, not leak their data to commercial tracking platforms or incorporate code from Russia-founded companies.

The real risk isn't that someone hacks the app and takes over the government. It's that users downloading an official government application are exposing themselves to data collection and security vulnerabilities they wouldn't accept from a random app developer.

Government apps should be held to higher standards than commercial apps, not lower ones. This one fails to meet even basic commercial standards. That's not a partisan issue—it's a competence issue.