Official White House app allegedly with extensive tracking functions
The White House app requests extensive permissions on Android. A technical analysis also raises data protection and security concerns.
A new app from the US government is causing data protection concerns.
(Image: ChiccoDodiFC/Shutterstock.com)
On Friday, the White House released an official application for Android and iOS. It promises “direct access to the White House” as well as “unfiltered, real-time updates straight from the source” with push notifications for announcements, live streams of speeches, and the ability to send feedback directly to the government.
What the US government doesn't mention: The White House app requests extensive permissions on Android devices. With user permission, it can capture the exact location, start automatically when the device boots, display content over other apps, and keep the device active. Individually, these functions are not unusual; however, for software that primarily provides news and live streams and comes from a government agency, this overall profile requires explanation.
Technical analysis reveals tracking functions and external dependencies
Furthermore, the analysis by a developer who examined the code of the Android app is causing a stir. Several anomalies were discovered: According to the analysis, the integrated browser hides cookie banners, paywalls, and login prompts via JavaScript. Additionally, the code contains a provision for regular location queries that – after user inquiry during app runtime – can transmit data to the third-party provider OneSignal. At the same time, the program uses extensive tracking and analysis functions via OneSignal, for example, to evaluate user behavior and interactions.
The Android version of the White House app requests unusually extensive permissions for a government app.
(Image:Â Screenshot)
Further points of criticism concern the integration of external content: The app loads JavaScript from a private GitHub page, among other sources, which could enable the execution of foreign code if this source is compromised. User data, such as email addresses are also processed via external services that do not belong to the government infrastructure.
Videos by heise
This is not necessarily illegal, according to the author of the analysis, but it does not necessarily meet expectations for an official government application. In the Play Store, the app only states that it collects general personal data but does not share it with third parties. Specific information about location data, tracking, or external services used is missing.
Open questions about data protection
The iOS version of the app is more restrained in practice: It does not request access to location or notifications. At least not on the first launch: Only in the “Social” section does a request for notifications appear, which users must actively confirm.
In the App Store, only contact information such as email address and phone number for marketing purposes are listed as collected data, which are not supposed to be linked to the users' identity. There is no mention of location data, tracking, or external services.
Overall, the iOS version appears significantly less demanding in its handling of system rights. However, it should be noted that the actual behavior cannot be definitively assessed without insight into the code.
Both stores refer to the official privacy policy of the White House, which in the section on the app only lists a contact email. heise online has asked both Google and Apple for a statement on the review process and compliance with guidelines.
(dmk)
