Author:TechFlow
Author: Deep Tide TechFlow
On March 27, the Trump administration launched an official news app that claimed to provide users with "unfiltered" access to White House information.
However, multiple independent security audits revealed an ironic fact within 48 hours: the app's installation package contained Huawei's tracking components, and Huawei is the very Chinese company that the US government itself has blacklisted on national security grounds.
In addition, the app also requires a series of system permissions far exceeding those required by news apps, such as GPS positioning, fingerprint recognition, and automatic startup. The X platform quickly added a community note warning to its official promotional post.
Why would an app that publishes press releases and broadcasts presidential live streams need to read your fingerprint?
Security researcher Sam Bent reverse-engineered the White House app (version 47.0.1) and then scanned it using Exodus Privacy. Exodus Privacy is an open-source Android app privacy auditing platform that specifically detects embedded trackers and permission requests within apps and is widely used in the privacy research community. The scan revealed that the White House app embedded three trackers, one of which was Huawei Mobile Services Core.
IBTimes subsequently reported the same finding independently, and legal analyst mitchthelawyer also confirmed the Exodus report's conclusions in an article on Substack. Three independent sources point to the same fact: the White House official app does indeed contain Huawei SDK code.
It should be noted that Huawei Mobile Services Core is a push and analytics SDK provided by Huawei for the global Android ecosystem. Many apps targeting the international market embed it to ensure compatibility with Huawei phones.
Its presence in the installation package does not equate to it actively transmitting data back to Huawei. The problem lies in:
The US government bans domestic companies from doing business with Huawei on national security grounds, yet its own presidential app contains Huawei code. A comment on Hacker News succinctly points out: this is most likely the default configuration of an outsourced contractor, and the White House decision-makers may not even know that the Huawei SDK exists, "but this may be more worrying than deliberate embedding."
The permissions list is comparable to system tools, but the privacy policy remains unchanged from a year ago.
The White House app requests permissions including: precise GPS location, fingerprint biometrics, storage read/write, automatic startup, overlaying other apps with a floating window, Wi-Fi network scanning, and reading notification badges. In contrast, AP News, which provides similar news feeds and disaster reporting, requires far fewer permissions.
According to an IBTimes report, the app's developers admitted that the technical plugin originally intended to strip location permissions "clearly did not strip any related code."
The bigger problem lies in the privacy policy. According to cross-confirmation by IBTimes and mitchthelawyer's Substack articles, the White House app's privacy policy was last updated on January 20, 2025, a full year before the app's launch. This policy only covers website access, email subscriptions, and social media pages, making no mention of mobile app access, GPS tracking, location data collection, or biometric access. When users click "agree," they are agreeing to a document that doesn't even cover the app's actual behavior.
Embedded promotional materials and immigration reporting portal
The app has a built-in "Send a text message to the president" button. Clicking it will automatically fill in the message text box with the phrase: "Greatest President Ever!" If the user chooses to send the message, the system will collect their name and phone number.
In addition, the app includes an embedded ICE reporting button. ICE stands for Immigration and Customs Enforcement, responsible for immigration enforcement and deportation operations. Clicking this button will take you directly to ICE's informant reporting page, where users can anonymously report people they know suspected of illegal immigration.
A platform nominally ostensibly for government press releases, it also serves as a data collection portal for political propaganda and law enforcement whistleblowing. Less than two days after its launch, users of the X platform added community notes to official White House promotional posts, warning other users of privacy risks.
Beyond the White House: FEMA requests 28 permissions for the FBI app to run ads.
Sam Bent conducted an Exodus audit of multiple federal agency apps in the same investigation and found that the White House app was far from an isolated case.
The FBI's official app, "myFBI Dashboard," requests 12 permissions and embeds four trackers, including Google AdMob, an advertising SDK. This means an official app from a federal law enforcement agency is delivering targeted ads while reading users' phone identification information.
The FEMA (Federal Emergency Management Agency) app requests 28 permissions, but its core function is simply to display weather warnings and shelter locations.
Customs and Border Protection (CBP)'s passport control app requests 14 permissions, seven of which are classified as "dangerous permissions," including background location tracking (which continues even after the app is closed) and full storage read/write. Facial data collected across the entire CBP application ecosystem is retained for up to 75 years and shared between the Department of Homeland Security, ICE, and the FBI.
At a more fundamental level of data procurement, the Department of Homeland Security, the FBI, the Department of Defense, and the DEA purchase over 15 billion location data points daily, covering more than 250 million devices, through commercial data brokerage firms such as Venntel, without the need for search warrants. This practice effectively circumvents the privacy protections for mobile phone location data established by the U.S. Supreme Court in the 2018 case of Carpenter v. United States.
Several commentators on Hacker News summarized the common logic behind these apps: the government packages publicly available content that could have been published via web pages or RSS into native apps for distribution. The only reasonable explanation is to obtain system-level permissions that browsers do not provide, including background location, biometrics, device identity reading, and automatic startup.
A 2023 report by the U.S. Government Accountability Office (GAO) revealed that nearly 60% of the 236 privacy and security recommendations issued since 2010 have yet to be implemented. Congress has twice been recommended to pass comprehensive internet privacy legislation, but no action has been taken to date.
