White House App Reportedly Shares User Data With Third Parties and Relies on Russia-Founded Firm Linked to Staff Data Exposure

The official White House mobile app, downloaded by millions since its late-March 2026 launch, is sending user data to multiple third-party platforms while its privacy disclosures list no data collection, according to a cybersecurity investigation by NOTUS.

The NOTUS investigation, published on 3 April 2026, found that multiple cybersecurity researchers independently analysed the app's code and network activity and identified data being transmitted to commercial third-party services, a blank Apple privacy manifest, and the incorporation of a widget kit built by a Russia-founded software company that researchers allege exposed personal information belonging to White House staffers.

A Blank Privacy Manifest and Undisclosed Third-Party Data Flows

At the centre of researchers' concerns is a fundamental discrepancy between what the app collects and what it discloses. Apple's App Store requires developers to complete a privacy manifest declaring what data their app collects, including data gathered by any third-party software they embed. The White House app's manifest, as of its most recent update on 3 April 2026, was left completely blank, indicating to users that the app collects nothing.

In practice, the app routes data to at least one commercial push notification vendor, OneSignal, which by default captures a user's mobile carrier, phone model, network type, operating system version, session duration and visit frequency, as well as a unique digital identifier that can track individual users across multiple sessions.

Jason Seeba, OneSignal's chief marketing officer, confirmed the company's data collection to NOTUS via text, describing it as 'standard across push notification platforms' and stating that the data is functional in purpose. Seeba added that Apple's own guidelines require app developers to disclose third-party SDK data collection in their privacy manifests, and that OneSignal's documentation explicitly tells developers this is their obligation.

One researcher, who asked NOTUS to withhold their name out of concern about White House retribution, said the gap between the app's stated and actual data practices constituted a clear breach of user trust. 'It seems to be sharing quite a lot of data about the users to these third parties,' the researcher said. 'The problem is that the privacy manifest says they do not share that information, but in fact they do. That is a problem for end-user privacy because effectively, they're misleading users about how their data is shared.'

Russia-Founded Elfsight Widget Allegedly Exposed Staff Data

A separate concern identified by researchers relates to Elfsight, a software company founded in Russia in 2012 that provides pre-built, embeddable widgets for websites and applications. According to Tracxn's company profile, Elfsight is an unfunded company headquartered in Russia. The company's own about page describes its team as spanning Russia, Armenia, Spain, Italy, France and Andorra.

A cybersecurity researcher shared screenshots with NOTUS showing that the White House app's integration of Elfsight widgets was allegedly exposing personal information belonging to some White House staffers through the app as of 3 April 2026. NOTUS withheld the specific details to protect those individuals' privacy.

The White House told NOTUS in a statement that 'Elfsight went through a full security review by White House IT and was approved for use,' adding that 'this is a vulnerability on Elfsight's side' and that the company 'has been informed of it.' Elfsight did not respond to NOTUS's questions. Instead, an AI-generated auto-reply from the company's email system told the outlet that 'the app owner is responsible for deciding whether and how to allow any third-party code into their application.'

Andrew Hoog, a cybersecurity expert with NowSecure, told NOTUS he was the least alarmed of the researchers interviewed, but still advised against using Elfsight specifically because it is not based in the United States. Philip Fields, a cybersecurity researcher and former FBI intelligence analyst, was more direct. 'The U.S. government's infrastructure is being attacked from all sides right now, and having an amateur WordPress developer running the White House's public presence puts everybody who visits it at risk,' Fields said.

Ohio Contractor and the FedRAMP Standards It Bypassed

Internal app files reviewed by Fields and researcher Thereallo identify the app's developer as 45Press, a website development firm based in Canfield, Ohio. According to public contract records on USAspending.gov, the company was awarded a contract on 6 February 2026 with an action obligation of £1.1 million ($1,421,990.20) and a total contract value of £6.4 million ($8,372,844.17) to provide web hosting and web development professional services to support the White House's online presence. Eleven companies competed for the contract, according to OrangeSlices AI, a federal contracting intelligence firm.

The company describes itself on its X account as providing 'Expert WordPress development, design, hosting, ecommerce and so much more,' with no mention of prior mobile app development.

Researchers told NOTUS the app's code showed no certificate pinning and no code obfuscation, two standard security measures that make it harder for attackers to reverse-engineer an app's traffic and find exploitable weaknesses.

The app received four updates within its first week of availability, two of which the developer attributed to 'minor bug fixes.' It ranked as the third‑most downloaded news app in the Apple App Store as of 3 April 2026, meaning any remaining vulnerabilities are now accessible to a very large audience.