Did the U.S. government—which imposed sanctions on Huawei—install Huawei’s SDK into the official White House app?
TechFlow Selected TechFlow Selected
Did the U.S. government—which imposed sanctions on Huawei—install Huawei’s SDK into the official White House app?
The U.S. government has banned American companies from doing business with Huawei on national security grounds, yet the official app of the U.S. President contains Huawei’s code.
Navigating Web3 tides with focused insightsAuthor: TechFlow
On March 27, the Trump administration launched an official news app, claiming it would let users access White House information “unfiltered.”
Yet within 48 hours, multiple independent security audits revealed a deeply ironic fact: the app’s installation package embedded Huawei’s tracking components—despite Huawei being a Chinese company that the U.S. government itself has placed on its sanctions blacklist over national security concerns.
In addition, the app requests a series of system permissions far exceeding what any news app reasonably needs—including GPS location access, fingerprint authentication, and auto-start at device boot. X (formerly Twitter) promptly added a Community Note warning to the app’s official promotional post.
Why does an app for publishing press releases and streaming presidential events need to read your fingerprint?
Security researcher Sam Bent conducted a reverse-engineering analysis of the White House app (version 47.0.1) and scanned it using Exodus Privacy—an open-source Android app privacy auditing platform widely used in the privacy research community to detect embedded trackers and permission requests. The scan revealed three embedded trackers, one of which was Huawei Mobile Services Core.
IBTimes later independently reported the same finding. Legal analyst mitchthelawyer also confirmed Exodus’s report in a Substack post. Three independent sources converged on the same conclusion: the official White House app indeed contains Huawei SDK code.
It should be noted that Huawei Mobile Services Core is a push notification and analytics SDK Huawei provides for the global Android ecosystem. Many apps targeting international markets embed it to ensure compatibility with Huawei devices.
Its presence in the installation package does not necessarily mean it actively transmits data back to Huawei. But the core issue remains:
The U.S. government prohibits American companies from doing business with Huawei on national security grounds—yet the official app of the U.S. president includes Huawei’s code. A Hacker News comment cut straight to the point: this is likely due to default configurations by outsourced contractors, and White House decision-makers may not even be aware of the Huawei SDK’s inclusion—“but that may be even more concerning than intentional inclusion.”
Permission list rivals system utilities—but the privacy policy hasn’t been updated in a year
The White House app requests permissions including precise GPS location, fingerprint biometric authentication, storage read/write access, auto-start at boot, overlay windows over other apps, Wi-Fi network scanning, and reading notification badges. By comparison, AP News—a comparable news app delivering breaking news and disaster coverage—requires far fewer permissions.
According to IBTimes, the app’s developers admitted that the technical plugin originally intended to strip out location-related code “clearly failed to remove any related code.”
A larger problem lies in the privacy policy. Cross-verified by both IBTimes and mitchthelawyer’s Substack article, the privacy policy applicable to the White House app was last updated on January 20, 2025—exactly one year before the app’s launch. That policy covers only website visits, email subscriptions, and social media pages. It makes no mention whatsoever of mobile apps, GPS tracking, location data collection, or biometric access. When users click “Agree,” they are consenting to a document that does not cover the app’s actual behavior.
Embedded propaganda messaging and immigration reporting portal
The app includes a “Send a text to the President” button. Clicking it pre-fills the message box with: “Greatest President Ever!” If users choose to send it, the system collects their name and phone number.
Additionally, the app embeds an ICE reporting button. ICE stands for U.S. Immigration and Customs Enforcement—the federal agency responsible for immigration enforcement and deportation operations. Clicking this button redirects users directly to ICE’s confidential informant reporting page, where they can anonymously report individuals suspected of being undocumented immigrants.
A nominally governmental news distribution tool simultaneously functions as a political propaganda channel and a law enforcement reporting interface. Within two days of launch, X users added a Community Note to the White House’s official promotional post, warning others about associated privacy risks.
Not just the White House: FBI app serves ads; FEMA app demands 28 permissions
In the same investigation, Sam Bent audited several other federal agency apps using Exodus—and found the White House app is far from an isolated case.
The FBI’s official app, “myFBI Dashboard,” requests 12 permissions and embeds four trackers—including Google AdMob, an advertising SDK. A federal law enforcement agency’s official app reads users’ device identifiers while serving targeted ads.
The FEMA (Federal Emergency Management Agency) app requests 28 permissions, despite its core functionality being limited to displaying weather alerts and shelter locations.
The CBP (U.S. Customs and Border Protection) passport control app requests 14 permissions, seven of which are classified as “dangerous”—including background location tracking (which continues even after the app is closed) and full storage read/write access. The entire CBP app ecosystem retains collected facial data for up to 75 years and shares it across the Department of Homeland Security, ICE, and the FBI.
At a deeper level of data procurement, the Department of Homeland Security, FBI, Department of Defense, and Drug Enforcement Administration purchase over 15 billion location data points daily—covering more than 250 million devices—via commercial data brokers such as Venntel, all without requiring search warrants. This practice effectively circumvents the Supreme Court’s 2018 Carpenter v. United States ruling, which established constitutional protections for cellphone location data.
Multiple Hacker News commenters summarized the common logic behind these apps: the government packages publicly available content—content that could easily be delivered via websites or RSS feeds—into native apps solely to obtain system-level permissions unavailable to browsers, including background location, biometric authentication, device identity reading, and auto-start at boot.
A 2023 report by the U.S. Government Accountability Office (GAO) revealed that nearly 60% of the 236 privacy and security recommendations issued since 2010 remain unimplemented. Congress has twice been advised to enact comprehensive internet privacy legislation—and has yet to act.
Join TechFlow official community to stay tuned
Telegram:https://t.me/TechFlowDaily
X (Twitter):https://x.com/TechFlowPost
X (Twitter) EN:https://x.com/BlockFlow_News
深潮TechFlow
