The U.S. government sanctions Huawei, but have they integrated Huawei SDK into the White House official app?

Author: Deep Tide TechFlow

On March 27, the Trump administration launched an official news app, claiming it would let users “connect to White House information without filters.”

But multiple independent security audits uncovered, within 48 hours, a highly ironic fact: the app’s installation package embeds Huawei tracking components—Huawei being the Chinese company that the U.S. government itself has placed on its sanctions blacklist on national security grounds.

In addition, the app asks for a range of system permissions far beyond what a news app would need, such as GPS location, fingerprint recognition, and boot auto-start. On the X platform, the app’s official promotional posts were quickly met with community note warnings.

A news-release and presidential livestream app—why does it need to read your fingerprint?

After security researcher Sam Bent conducted a reverse analysis of the White House app (version number 47.0.1), he scanned it using Exodus Privacy. Exodus Privacy is an open-source Android app privacy audit platform that specializes in detecting in-app trackers and permission requests, and it is widely used in the privacy research community. The scan results showed that the White House app embeds 3 trackers, one of which is Huawei Mobile Services Core (Huawei mobile services core component).

IBTimes then independently reported the same finding, and legal analyst mitchthelawyer also published on Substack confirming the conclusions of the Exodus report. Three independent sources pointed to the same fact: the White House official app does indeed contain Huawei SDK code.

It’s worth noting that Huawei Mobile Services Core itself is a push and analytics SDK that Huawei provides for the global Android ecosystem. Many apps targeting international markets embed it to be compatible with Huawei phones.

Its presence in the installation package doesn’t necessarily mean it actively sends data back to Huawei. But the problem is:

The U.S. government bans its own companies from doing business with Huawei on national security grounds, yet its own presidential official app is still packed with Huawei code. As one comment on Hacker News put it: this is most likely the default configuration of an outsourced contractor, and the White House decision-makers may not even know Huawei SDK exists—“but that may be more worrying than intentionally embedding it.”

Permission list rivals system tools, while the privacy policy stays a year behind

The White House app requests permissions including: precise GPS location, fingerprint biometric recognition, read/write storage, boot auto-start, overlay other apps, Wi-Fi network scanning, and reading notification badges. For comparison, AP News provides similar news push and disaster coverage, but it requires far fewer permissions.

IBTimes reported that the app’s developer admitted that the technical plug-in originally used to strip location permissions “apparently didn’t strip any related code.”

The bigger issue is the privacy policy. Cross-confirmed by IBTimes and mitchthelawyer’s Substack articles, the privacy policy applicable to the White House app was last updated on January 20, 2025—an entire year before the app launched. The policy only covers website access, email subscriptions, and social media pages, and says nothing about the mobile app, GPS tracking, location data collection, biometric access, and so on. When users click “Agree,” they are agreeing to a document that fundamentally does not cover the app’s actual behavior.

Embedded promotional copy and an immigration reporting entry

The app includes a button labeled “Send a text to the President.” After clicking it, the message text box automatically fills in a line: “Greatest President Ever!” (the greatest president of all time). If the user chooses to send it, the system will collect their name and mobile number.

In addition, the app embeds an ICE reporting button. ICE is the U.S. Immigration and Customs Enforcement agency, responsible for immigration enforcement and deportation operations. Clicking this button directly jumps to ICE’s informant tip page, where users can anonymously report people nearby suspected of being illegal immigrants.

A purported government news release tool, while also taking on political propaganda and a data-collection entry point for law-enforcement tips. Less than two days after launch, X users added community notes to the White House official promotional post, reminding other users to watch out for privacy risks.

Not just the White House: FBI app runs ads, FEMA needs 28 permissions

In the same investigation, Sam Bent ran an Exodus audit on multiple federal agency apps and found that the White House app is far from an isolated case.

The FBI official app “myFBI Dashboard” requests 12 permissions and embeds 4 trackers, including Google AdMob—an ad-delivery SDK. An official app of a federal law enforcement agency runs targeted ads while reading users’ mobile identity information.

The FEMA (Federal Emergency Management Agency) app requests 28 permissions, and its core functions are only to display weather alerts and the locations of shelters.

A passport-control app from U.S. Customs and Border Protection (CBP) requests 14 permissions, 7 of which are categorized as “dangerous permissions,” including background location tracking (tracking even after the app is closed) and full storage read/write. The CBP application ecosystem’s retention period for facial data collected reaches up to 75 years, and the data is shared among the Department of Homeland Security, ICE, and the FBI.

At a deeper data procurement layer, the Department of Homeland Security, the FBI, the Department of Defense, and the Drug Enforcement Administration purchase more than 15 billion location data points every day through commercial data brokers such as Venntel, covering more than 250 million devices—without a warrant. In substance, this operation bypasses the mobile location data privacy protections established by the U.S. Supreme Court in its 2018 Carpenter v. United States decision.

Multiple commenters on Hacker News summarized the common logic behind these apps: the government packages content that could have been published via a website or RSS into native app distribution. The only reasonable explanation is to obtain system-level permissions that browsers don’t provide, including background location, biometrics, device identity access, and boot auto-start.

A 2023 report by the U.S. Government Accountability Office (GAO) shows that among 236 privacy and security recommendations issued since 2010, nearly 60% still haven’t been implemented. The U.S. Congress has been advised twice to pass comprehensive internet privacy legislation, but so far there’s been no action.