The White House App Is a Security Problem — Here's What You Need to Know
Three findings from an independent security analysis every professional should read
As experts, If you downloaded the new White House app, we’d recommend removing it.
Regardless of political reasons — For security ones.
Last week, independent researchers at atomic.computer published a detailed reverse-engineering of the official White House iOS app.
Here are the three findings that concern us most:
1. The app runs live code from infrastructure with Russian origins.
The app uses six separate embedded browsers (WebViews), each loading live, modifiable JavaScript from a company called Elfsight — a widget provider with Russian origins.
The architecture is a two-stage loader: the app loads an initial script, which then reaches out to Elfsight’s servers to pull down additional code and execute it on your device.
If Elfsight’s server were ever compromised — or if the company were compelled to modify its response — arbitrary JavaScript could execute inside the official White House app on every user’s device.
That’s not a theoretical risk, it’s a structural issue baked into the design.
2. Location tracking is compiled in — and can be turned on remotely.
The app ships with ten separate location-tracking frameworks totaling over 2.4MB, including one specifically called OneSignal Location — despite containing no maps, no local events, and no feature that requires knowing where you are.
The researchers confirmed that GPS tracking is not currently active. But the code is there. The location capability can be activated remotely through a server-side configuration controller — without a user update.
3. The behavioral data collection is extensive.
Even without GPS, the app collects more than most users would expect. The OneSignal SDK built into the app includes over 24 server request types — tracking session duration, notification influence, time spent, network type, device type, in-app message engagement, and custom behavioral events.
This is described as standard SDK behavior. Standard doesn’t mean appropriate for an official government app with no disclosed data policy.
There’s more in the full analysis — including code loaded from a random developer’s GitHub account that, if compromised, could push arbitrary malicious code to every user of the app.
The researchers also note that the production build contains development artifacts — including a localhost URL pointing to a developer’s own machine — that suggest this app was not built with standard security review practices.
Why we’re flagging this
We work with people, businesses, and enterprise organizations every day who trust the tools they install — and who don’t have a security researcher on staff to reverse-engineer what those tools are actually doing. That’s part of why we exist.
The lesson here isn’t unique to this app. It’s a reminder that every piece of software you install on a business or personal device is a decision — and that “official” doesn’t mean “secure.”
What we recommend
If you installed the White House app, remove it. If you’re not sure what apps on your team’s devices might be collecting, that’s worth a conversation with your IT support provider.
And if you’re curious what else might be running quietly in the background on your business systems, we’re always happy to take a look.
Source: Security Analysis of the Official White House iOS App, atomic.computer (March 27, 2026)
This incident underscores how modern attacks increasingly rely on trust, familiarity, and belief. Knowledge is power, and your knowledge will protect you.
With over 15 years of IT support experience, inWorks LLC has helped organizations navigate these shifts in real time—preventing incidents before they escalate and saving companies hundreds of thousands of dollars in potential losses.
When something feels off, having a consistent checkpoint matters. inWorks serves as a reliable place to verify suspicious messages and support clear, informed decisions about what’s safe to trust.
Learn more about how inWorks LLC safeguards your data, business information, and account credentials through decades of cyber security experience.
📞 Call 267-857-8066 to start the conversation about preventing your sensitive information from being exploited.
For ongoing insights on current events in tech, cyber security, and protection best practices, follow inWorks LLC on LinkedIn for practical guidance designed for founders, operators, and leadership teams.