TL;DR
- The official White House app was built by 45Press, an Ohio WordPress contractor with no mobile app experience, under a $1.4 million contract — and cybersecurity experts say it shows.
- The app has a blank privacy manifest, routes user data through a Russia-founded widget company called Elfsight, and lacks basic security hardening like certificate pinning or code obfuscation.
- This is the same administration that just released a national cyber strategy and is simultaneously cutting the Cybersecurity and Infrastructure Security Agency’s budget by up to $707 million.
On Monday, President Trump took to social media to promote the new official White House app, calling it “front-row access to all news from your favorite president” and urging his followers to download it. Within days it had climbed to the third-most downloaded news app on Apple’s App Store. Cybersecurity researchers got there first.
Adam Enger, a cybersecurity researcher who pulled the app apart the Friday night it launched, put it plainly: “If I could find this by myself in an hour on Friday night, then how far along are our adversaries with this?”
White House app cybersecurity problems, one by one
The most immediate red flag is the app’s privacy manifest on the Apple App Store, which is completely blank. A blank manifest signals to Apple — and to users — that no data is being collected. That is false. The app collects users’ IP addresses, time zones, phone models, carriers, and operating system versions, and shares them with third-party services. Multiple cybersecurity researchers noted that misrepresenting data collection in Apple’s privacy manifest typically results in app removal from the store.
The app uses OneSignal for push notifications, a standard commercial tool that creates unique digital fingerprints to track users across sessions. That alone isn’t unusual. What is unusual for a government application is the inclusion of Elfsight, a widget company founded in Russia. As of Thursday, Elfsight’s integration had exposed personal information belonging to White House staffers through the app. A White House official characterized it as “a vulnerability on Elfsight’s side” — which is accurate in the narrow sense, and completely beside the point in the broader one.
The app also lacks certificate pinning, which prevents man-in-the-middle attacks by ensuring the app only communicates with verified servers. It has no code obfuscation, making its architecture significantly easier to reverse engineer. “The app’s privacy disclosures do not clearly explain the extent of third-party data collection,” said a cybersecurity researcher who reviewed it. “Users downloading an official government app would reasonably expect their data to stay within US government systems, not flow to commercial third-party platforms.”
The White House’s response was brief: all app information is “safe and secure,” reliance on third-party services is “standard” for applications, and no user data is saved. The administration also noted that Elfsight had undergone a full IT security review before approval — though that review apparently did not surface the data exposure researchers found within days of launch.
Who actually built it
The app was developed by 45Press, an Ohio-based firm that specializes in WordPress development, design, and hosting. The company has no public record of previous mobile app development. It received a $1.4 million contract on February 6 to support White House online services, roughly six weeks before the app launched.
Philip Fields, a cybersecurity researcher and former FBI intelligence analyst, was direct about what that means in practice: “The U.S. government’s infrastructure is being attacked from all sides right now, and having an amateur WordPress developer running the White House’s public presence puts everybody who visits it at risk.” Andrew Hoog, a cybersecurity expert at NowSecure who reviewed the app, was somewhat more measured, noting it doesn’t look dramatically different from most consumer apps — but agreed the developers appear to be WordPress specialists rather than mobile security engineers.
Federal apps are traditionally required to use cloud services certified under FedRAMP and GovCloud standards, frameworks designed and audited specifically to handle the security requirements of government systems. The White House app routes data outside those frameworks entirely, to commercial platforms that operate under no such obligations.
This is also, notably, not the first time this administration has had a problem with the wrong communications tool in the wrong hands. In March 2025, classified details of imminent airstrikes on Yemen — including aircraft types, missiles, and attack times — were shared on a Signal group chat that inadvertently included a journalist. Iran’s Handala group later breached FBI Director Kash Patel’s personal Gmail, publishing hundreds of emails the DOJ confirmed appear authentic. The pattern is consistent: high-profile officials, consumer-grade tools, consequential results.
The White House app has received four updates since launch, two attributed to “minor bug fixes.” Location-tracking permissions that raised early concern were removed in one of those updates. Earlier reporting found the app collecting precise GPS coordinates every 4.5 minutes and transmitting them to third-party servers before those permissions were patched out.
The timing is hard to ignore
In March 2026, the Trump administration released its national cyber strategy, emphasizing a more offensive posture against foreign cyber threats and stronger protections for critical American infrastructure. That document was published by the same executive branch that simultaneously proposed cutting the Cybersecurity and Infrastructure Security Agency’s budget by between $491 million and $707 million, depending on the fiscal year, and reducing its workforce by roughly a third.
Senator Dick Durbin, the ranking member of the Senate Judiciary Committee, connected those dots in a statement: “In true Trump White House fashion, their lackluster app appears to pose a cybersecurity threat to its users. As this Administration continues to cut funds from CISA and other agencies designed to combat cybersecurity threats, the Trump White House should focus more on protecting the American people and less on apps that may pose a threat to our national security.”
The administration’s broader pattern of routing sensitive data through commercial contractors with limited federal oversight has drawn consistent criticism from privacy researchers and legislators. The White House app is the most visible example of that pattern yet — promoted personally by the president, downloaded by millions of people who may reasonably assume that “official government app” means “government-grade security.”
It was released by a WordPress shop. The privacy manifest is still blank.