Back to Blog

White House App Sends Your Location Every 4.5 Minutes to Ad Tech Company

March 30, 2026 12 min read Privacy, Government, Security
Screenshots of the official White House app showing news feed, articles, livestream, and contact features

The official White House app, launched by the Trump administration to deliver "real-time updates straight from the source, no filter," has a filter problem of its own. Developer Thereallo, who previously collaborated with the renowned Krebs on Security, decompiled the Android APK and found alarming issues: a full GPS tracking pipeline sending coordinates to an ad tech company every 4.5 minutes, JavaScript injection that strips paywalls and GDPR banners from every website, video loaded from a random developer's personal GitHub, no certificate pinning, and development artifacts left in the production build.

The app is a React Native application built with Expo SDK 54, running on the Hermes JavaScript engine. The backend is WordPress with a custom REST API. According to the Expo config, it was built by an entity called "forty-five-press". The Trump administration has not responded to the findings.

Why this matters: When a government app tracks its citizens' locations and sends that data to a commercial third party, it inverts the purpose of civic technology. The app is supposed to inform citizens about their government. Instead, it informs a marketing company about its citizens.

Location Tracking: Every 4.5 Minutes to OneSignal

The decompilation reveals the exact tracking intervals hardcoded in OneSignal's LocationConstants class: 270,000 milliseconds (4.5 minutes) for foreground and 570,000 milliseconds (9.5 minutes) for background. The GPS coordinates, accuracy, timestamp, and whether the app was in foreground or background are all captured and synced to https://api.onesignal.com/.

Interestingly, the Expo config includes a plugin called withNoLocation that was supposed to strip location tracking. It didn't work. The entire OneSignal location pipeline, including permission strings, interval constants, fused location requests, capture logic, background scheduling, and the sync to OneSignal's API, is fully compiled into the APK. The tracking isn't unconditionally active: it requires three gates (a JavaScript toggle, user permission, and a location provider). But the infrastructure is there, ready to go, and the JavaScript API setLocationShared(true) to enable it is referenced in the app's Hermes bytecode bundle.

Beyond location, OneSignal's SDK performs extensive user profiling through the app:

  • User tagging -- segmentation tags for targeted messaging
  • SMS association -- links phone numbers to user profiles via addSms
  • Cross-device linking -- addAliases for identifying users across multiple devices
  • Outcome tracking -- addOutcomeWithValue tracks user actions and conversions
  • Notification tracking -- a local database records every notification received, opened, or dismissed
  • In-app message tracking -- full lifecycle (display, click, dismiss) of in-app messages

All of this data goes to OneSignal's commercial servers, not to government infrastructure.

What 4.5-minute tracking means: At this interval, a detailed movement profile can be reconstructed: where you live, where you work, which stores you visit, which church or mosque you attend, which doctor's office you visit, and which political events you go to. This is not approximate location for notification relevance. This is surveillance-grade granularity from a government app.

JavaScript Injection: Removing Paywalls and Cookie Banners

The White House app contains a built-in WebView for opening links. When a user taps a link within the app, instead of opening it in Safari or Chrome, the app opens it in this custom browser. So far, standard practice for many apps.

What's not standard: the app injects JavaScript code into every web page opened through this WebView. The injected code, found in the Hermes bytecode string table, creates a CSS stylesheet that hides elements matching an extensive list of selectors and sets up a MutationObserver to continuously nuke any consent elements that get dynamically added. The targeted elements include:

  • Cookie consent banners -- elements matching [class*="cookie"], [id*="cookie"], [class*="consent"]
  • GDPR dialogs -- [class*="gdpr"], [class*="privacy-banner"], [class*="onetrust"], CMP boxes
  • Login walls -- [class*="login-wall"], [class*="LoginWall"]
  • Signup walls -- [class*="signup-wall"], [class*="signupWall"]
  • Upsell/paywall prompts -- [class*="upsell"], [class*="Upsell"]
  • ARIA-labeled consent -- [aria-label*="cookie" i], [aria-label*="consent" i]

The injection also forces body { overflow: auto !important } to re-enable scrolling on pages where consent dialogs lock the scroll. The native Java code confirms this is the injectedJavaScript prop on React Native's WebView, wrapped in an IIFE and executed via Android's evaluateJavascript() on every page load.

This raises several serious concerns:

  • Legal issues. Bypassing paywalls may violate the Computer Fraud and Abuse Act (CFAA) and copyright law. A government app systematically circumventing access controls on news websites sets a troubling precedent
  • Security risk. Any JavaScript injection into web pages creates an attack surface. If the injection code has vulnerabilities, it could be exploited to steal data from the pages users visit
  • Cookie consent removal. Hiding cookie banners means users can't make informed choices about tracking on the sites they visit through the app. Ironic, given the app itself is an aggressive tracker

The LonelyCPP Supply Chain Risk

Perhaps the most alarming finding is a supply chain vulnerability in how the app displays video content. The White House app uses an iframe element that loads code directly from a GitHub repository belonging to a user called LonelyCPP, an Indian developer.

This means that LonelyCPP, through their GitHub account, can push an update to their repository that would execute arbitrary code on every White House app user's device. No review process. No government approval. One developer, one push, millions of affected devices.

When confronted with this discovery, LonelyCPP (real name Ananthu) responded candidly on X:

He's right. Any competent development team would vendor (copy and self-host) external dependencies rather than loading them at runtime from a third party's personal GitHub account. This is a basic supply chain security practice that the White House app team apparently skipped.

But LonelyCPP isn't the only external dependency. The app also loads JavaScript from Elfsight (elfsightcdn.com/platform.js), a commercial SaaS widget company, to embed social media feeds. Elfsight's code runs inside the app's WebView with no sandboxing, and it can change at any time. Email signups go through Mailchimp. Content images are served from Uploadcare. There's a hardcoded Truth Social embed and a Facebook page plugin loaded in an iframe. None of this runs on government-controlled infrastructure.

What is a supply chain attack? A supply chain attack targets the tools and dependencies that software is built with, rather than the software itself. Famous examples include the SolarWinds hack (2020), where attackers compromised a software update to infiltrate 18,000 organizations including the US government, and the XZ Utils backdoor (2024), where a maintainer spent years gaining trust before inserting a backdoor. The White House app has multiple supply chain risks through LonelyCPP's GitHub, Elfsight, and other unvetted external code.

Summary of Issues Found

Issue What Happens Risk Level
Location tracking GPS sent to OneSignal every 4.5 min (foreground) / 9 min (background) High -- surveillance-grade tracking by ad tech company
JavaScript injection Removes paywalls, cookie banners, and login popups on third-party sites High -- legal and security risk, undermines user consent
Supply chain dependency Video iframe loaded from LonelyCPP's personal GitHub at runtime Critical -- enables remote code execution on all devices
OneSignal profiling Tags, SMS numbers, cross-device aliases, outcome tracking, notification logging High -- extensive behavioral profiling by commercial third party
Elfsight widgets Third-party JavaScript from Elfsight CDN loaded unsandboxed for social media embeds Medium -- external code can change at any time
No certificate pinning Standard Android TrustManager, traffic interceptable on compromised networks Medium -- MITM possible on corporate/public WiFi
Dev artifacts in production Localhost URL, developer IP (10.4.4.109), Expo dev client, exported PreviewActivity Low -- sloppy but not directly exploitable
File provider Exposes entire external storage root via file_provider_paths.xml Medium -- overly broad file access

No Certificate Pinning and Dev Leftovers

The app uses standard Android TrustManager for SSL with no custom certificate pinning. If you're on a network with a compromised Certificate Authority (corporate proxy, public WiFi with MITM), traffic between the app and its backends can be intercepted and read.

The production build also contains several development artifacts that should have been stripped:

  • A localhost URL (http://localhost:8081/wp-json/whitehouse/v1/galleries?page=) from the React Native Metro bundler dev server made it into the Hermes bundle
  • A developer's local IP address (10.4.4.109) is hardcoded in the string resources
  • The Expo development client (expo-dev-client, expo-devlauncher, expo-devmenu) is compiled into the release build, complete with a dev menu FAB icon
  • The Compose PreviewActivity is exported in the manifest, a development-only component that should never be in production

None of this is directly exploitable, but it reveals a development process that lacks basic build hygiene. For context, the app includes 68+ compiled libraries and 25 native .so libraries, suggesting it was assembled quickly with little regard for minimizing the attack surface.

Oh, and there's also a direct link to the ICE tip reporting form embedded in the app. In a news app.

Government Apps and the Trust Problem

Government apps occupy a unique position in the privacy landscape. Citizens expect that an app from their own government operates with their interests in mind. When The White House tweets "Straight from the source, no filter", people download it with a level of trust they wouldn't give to a random app from the App Store.

That trust makes the privacy violations worse, not better. The White House app essentially:

  1. Exploits civic trust to get location permission
  2. Sends that location to a commercial ad tech company, not the government
  3. Modifies the content users see on third-party websites
  4. Introduces a critical supply chain vulnerability that could affect millions

This isn't a theoretical concern. In 2021, it was revealed that military fitness tracking app Strava's heatmap had inadvertently revealed the locations of secret military bases because soldiers used the app while exercising. Location data from government-adjacent apps has real national security implications.

Could This Happen in Europe?

Under European law, the White House app's behavior would face immediate regulatory scrutiny:

  • GDPR Article 5: Location tracking every 4.5 minutes violates the principle of data minimization -- collecting far more data than necessary for push notifications
  • GDPR Article 7: Consent must be specific and informed. "Allow location access" does not constitute informed consent for sharing GPS data with an advertising company every 4.5 minutes
  • ePrivacy Directive: Removing cookie consent banners via JavaScript injection directly undermines EU cookie law
  • NIS2 Directive: A government app with a supply chain vulnerability of this magnitude would trigger mandatory incident reporting

European government apps like DigiD (Netherlands), France Connect (France), and BundID (Germany) are subject to strict security audits and data protection impact assessments before launch. The White House app appears to have undergone no comparable review.

How Can You Protect Yourself?

Don't Install the App

The simplest protection. Everything the White House app provides (news, livestreams, press releases) is available through the White House website without location tracking or JavaScript injection.

If Already Installed: Revoke Location Permission

Go to your phone's settings and change the White House app's location permission to "Never." On iOS: Settings > Privacy & Security > Location Services > White House. On Android: Settings > Apps > White House > Permissions > Location.

Don't Open Links Inside the App

If you use the app, don't tap links within it. The in-app WebView is where JavaScript injection happens. Instead, copy link URLs and open them in your regular browser where you have ad blockers and privacy extensions installed.

Review All App Permissions Regularly

The White House app is one example, but many apps request excessive permissions. Review your phone's permission settings periodically. Any app that has "Always" location access should have a very good reason for it.

Privacy tip: Government apps aren't the only ones tracking you. Check what your IP address reveals at myip.foo, test for DNS leaks that expose your browsing, and test for WebRTC leaks that bypass VPN protection. Consider a VPN like NordVPN to encrypt your connection -- though note that a VPN doesn't prevent apps with location permission from accessing your GPS.

Common Questions

How often does the White House app track your location?

Every 4.5 minutes when the app is actively in use (foreground), and every 9 minutes when running in the background. This location data is sent to OneSignal, a commercial customer engagement platform, not to government servers.

What is OneSignal and what does it collect?

OneSignal is an advertising technology company that provides push notification and analytics services. From the White House app, it collects GPS location, click data, notification engagement patterns, and app usage behavior. This data goes to OneSignal's commercial servers.

Does the White House app modify websites you visit?

Yes. The app's built-in browser injects JavaScript into every web page you open through it. This code removes paywalls, hides cookie consent banners, and blocks login popups. This means content from third-party websites is altered before you see it.

What is the LonelyCPP supply chain risk?

The app loads video content via an iframe from a personal GitHub repository owned by an Indian developer using the handle LonelyCPP. Because code is loaded at runtime from this external source, the developer could push a malicious update that would execute on every app user's device. The developer acknowledged this, saying "they should have hosted the script themselves."

Has the White House responded to these findings?

No. As of March 2026, the Trump administration has not responded to the security findings published by developer Thereallo. The issues were discovered through decompilation of the app's code.

Conclusion

The White House app is a case study in how not to build government software. Aggressive location tracking through an ad tech company, JavaScript injection that modifies third-party websites, and a critical supply chain vulnerability through an unvetted GitHub dependency -- any one of these would be concerning. Together, they paint a picture of an app built with no regard for security or user privacy.

Key takeaways:

  • Full GPS tracking pipeline compiled in: 4.5 minutes (foreground) and 9.5 minutes (background) to OneSignal's servers
  • A withNoLocation Expo plugin was supposed to strip location tracking -- it failed completely
  • JavaScript injection strips paywalls, GDPR banners, cookie consent, login walls, and upsell prompts from every website opened in the app
  • Video code loaded at runtime from LonelyCPP's personal GitHub Pages -- one compromised account = code execution on all devices
  • Additional supply chain risks through Elfsight, Mailchimp, Uploadcare, and Facebook iframes -- no government-controlled infrastructure
  • OneSignal profiles users extensively: tags, SMS, cross-device aliases, outcome tracking, notification logging
  • No certificate pinning, development artifacts in production (localhost URLs, developer IP addresses)
  • 68+ libraries compiled in, file provider exposing entire external storage root
  • ICE tip reporting form embedded in a "news" app
  • Everything the app provides is available on whitehouse.gov without any of this tracking

The irony is hard to miss: an app marketed as delivering information "straight from the source, no filter" turns out to have quite a few filters of its own -- including one that filters your location data straight to an advertising company every 4.5 minutes.

Protect your privacy:

  1. Check what your IP reveals at myip.foo
  2. Test for DNS leaks exposing your browsing
  3. Test for WebRTC leaks bypassing VPN protection
  4. Review all app permissions on your phone (Settings > Privacy)
  5. Encrypt your traffic with a VPN like NordVPN

Related Articles