GoKawiilThe White House app ships with a sanctioned Chinese tracking SDK, the FBI app serves ads, and FEMA wants 28 permissions to show you weather alerts.
The federal government released an app yesterday, March 27th, and it's spyware.
Listen to this article 0:00 --:-- 1x Failed to load audio
The White House app markets itself as a way to get "unparalleled access" to the Trump administration, with press releases, livestreams, and policy updates. The kind of content that every RSS feed on the planet delivers with one permission: network access. But the White House app, version 47.0.1 (because subtlety died a long time ago), requests precise GPS location, biometric fingerprint access, storage modification, the ability to run at startup, draw over other apps, view your Wi-Fi connections, and read badge notifications. It also ships with 3 embedded trackers including Huawei Mobile Services Core (yes, the Chinese company the US government sanctioned, shipping tracking infrastructure inside the sitting president's official app), and it has an ICE tip line button that redirects straight to ICE's reporting page.
This thing also has a "Text the President" button that auto-fills your message with "Greatest President Ever!" and then collects your name and phone number. There's no specific privacy policy for the app, just a generic whitehouse.gov policy that doesn't address any of the app's tracking capabilities.
The White House app might actually be one of the milder ones. I've been going through every federal agency app I can find on Google Play, pulling their permissions from Exodus Privacy (which audits Android APKs for trackers and permissions), and what I found deserves its own term. I'm calling it Fedware.
Ok so let me walk you through what the federal government is running on your phone.
The FBI's app, myFBI Dashboard, requests 12 permissions including storage modification, Wi-Fi scanning, account discovery (it can see what accounts are on your device), phone state reading, and auto-start at boot. It also contains 4 trackers, one of which is Google AdMob, which means the FBI's official app ships with an ad-serving SDK while also reading your phone identity. From what I found, the FBI's news app has more trackers embedded than most weather apps.
The FEMA app requests 28 permissions including precise and approximate location, and has gone from 4 trackers in older versions down to 1 in v3.0.14. Twenty-eight permissions for an app whose primary function is showing you weather alerts and shelter locations. To put that in context, the AP News app delivers the same kind of disaster coverage with a fraction of the permissions.
IRS2Go has 3 trackers and 10 permissions in its latest version, and according to a TIGTA audit, the IRS released this app to the public before the required Privacy Impact Assessment was even signed, which violated OMB Circular A-130. The app shares device IDs, app activity, and crash logs with third parties, and TIGTA found that the IRS never confirmed that filing status and refund amounts were masked and encrypted in the app interface.
... continue reading