A developer who decompiled the official White House app discovered it's collecting GPS data every 4.5 minutes when active and sending it to third-party servers. The findings raise serious questions about whether government apps should meet basic privacy standards.
The app, which provides access to official White House content and social media feeds, contains hardcoded constants that trigger location polling at precise intervals: 270,000 milliseconds (4.5 minutes) in the foreground and 570,000 milliseconds (9.5 minutes) in the background. All this data flows to OneSignal, a third-party notification service.
"Your location, your notification interactions, your in-app message clicks, your phone number if you provide it, your tags, your state changes. All going to OneSignal's servers," the developer wrote in a detailed technical analysis.
But the tracking is just the beginning. The app connects to multiple external services beyond government infrastructure: Mailchimp for email signups, Uploadcare for image hosting, Elfsight for social media widgets, and even loads code from a personal GitHub Pages account. That last one is particularly concerning from a security perspective.
The security holes are worse than the tracking. The app injects JavaScript into websites to hide cookie consent dialogs, GDPR banners, login walls, and paywalls. It loads code from a developer's personal GitHub account, creating a supply chain vulnerability if that account gets compromised. There's no certificate pinning, leaving users vulnerable to man-in-the-middle attacks on public WiFi. And perhaps most embarrassingly, a developer's local IP address and localhost URL remain in the production build.
These aren't sophisticated attacks we're talking about. These are basic security practices that any competent developer should implement. The app appears to have been rushed to market without proper security review.
The tracking itself may not be illegal, depending on the app's terms of service and privacy policy. But it's certainly aggressive. Most apps that track location this frequently are ride-sharing or fitness apps where location is core functionality. For an app that's essentially a content viewer, this level of tracking is hard to justify.
The technology is impressive in its invasiveness. The question is whether anyone needed it.
