Our security analysis and network traffic analysis of the official White House iOS app found that its privacy manifest declares zero data collection while the app ships 10 OneSignal analytics frameworks and contacts 30+ third-party hosts.
You don’t have to take our word for it. Here’s how to verify it yourself on Windows or Mac. No jailbreak, no special hardware, no hacking. Just standard tools pointed at a free app from the App Store.
Want to skip the manual steps? On Mac or Linux, download our check-privacy-manifest.sh script and run it against any app:
curl -O https://www.atomic.computer/check-privacy-manifest.sh
chmod +x check-privacy-manifest.sh
./check-privacy-manifest.sh gov.whitehouse.app
Always read scripts before you run them, including ours. Use
cat check-privacy-manifest.shto review the script contents before running it.
What You Need
- An Apple ID (free)
- ipatool – an open source tool that downloads IPA files from the App Store
- A terminal (Command Prompt or PowerShell on Windows, Terminal on Mac)
- Any text editor
Step 1: Download ipatool
Mac (Homebrew):
brew install ipatool
Windows or Mac (manual):
Go to the ipatool releases page and download the binary for your platform:
- Windows:
ipatool-windows-amd64.exe - Mac (Intel):
ipatool-darwin-amd64 - Mac (Apple Silicon):
ipatool-darwin-arm64
On Mac, make it executable:
chmod +x ipatool-darwin-arm64
Step 2: Authenticate with Your Apple ID
Windows:
ipatool-windows-amd64.exe auth login -e [email protected]
Mac (Homebrew):
ipatool auth login -e [email protected]
Mac (manual):
./ipatool-darwin-arm64 auth login -e [email protected]
Enter your password when prompted. ipatool will ask for your password twice – this is normal. If you have 2FA enabled (you should), you’ll be asked for the verification code.
Step 3: Download the App
Windows:
ipatool-windows-amd64.exe download -b gov.whitehouse.app
Mac (Homebrew):
ipatool download -b gov.whitehouse.app
Mac (manual):
./ipatool-darwin-arm64 download -b gov.whitehouse.app
This downloads the IPA file to your current directory. The filename will be something like gov.whitehouse.app_47.0.4.ipa.
Step 4: Extract the IPA
An IPA file is just a zip archive.
Windows:
ren gov.whitehouse.app*.ipa whitehouse.zip
tar -xf whitehouse.zip
Or right-click the renamed .zip file and select “Extract All.”
Mac:
unzip gov.whitehouse.app*.ipa -d whitehouse_extracted
Step 5: View the Privacy Manifest
The privacy manifest is an XML file inside the app bundle.
Windows:
notepad Payload\WhiteHouse.app\PrivacyInfo.xcprivacy
Mac:
cat whitehouse_extracted/Payload/WhiteHouse.app/PrivacyInfo.xcprivacy
Or use plutil on Mac for a cleaner view:
plutil -p whitehouse_extracted/Payload/WhiteHouse.app/PrivacyInfo.xcprivacy
You’ll see:
<key>NSPrivacyCollectedDataTypes</key>
<array/>
<key>NSPrivacyTracking</key>
<false/>
An empty array. The app tells Apple it collects no data and performs no tracking.
Step 6: See What’s Actually Inside
Now look at what frameworks shipped with the app:
Windows:
dir Payload\WhiteHouse.app\Frameworks\
Mac:
ls whitehouse_extracted/Payload/WhiteHouse.app/Frameworks/
You’ll see 10 OneSignal frameworks:
OneSignalCore.framework
OneSignalExtension.framework
OneSignalFramework.framework
OneSignalInAppMessages.framework
OneSignalLiveActivities.framework
OneSignalLocation.framework
OneSignalNotifications.framework
OneSignalOSCore.framework
OneSignalOutcomes.framework
OneSignalUser.framework
OneSignalLocation.framework contains GPS tracking methods. You can verify this yourself:
Mac:
nm whitehouse_extracted/Payload/WhiteHouse.app/Frameworks/OneSignalLocation.framework/OneSignalLocation | grep -i location
Windows (using strings from Git for Windows, which you may already have):
strings Payload\WhiteHouse.app\Frameworks\OneSignalLocation.framework\OneSignalLocation | findstr /i location
You’ll see symbols like sendLocation, requestLocation, and didUpdateLocations. The framework isn’t currently active, but the complete location tracking pipeline is compiled into the binary and could be enabled with a server-side configuration change, as we verified against OneSignal’s open source SDK on GitHub.
Step 7: Check the Location Permission Strings
Windows:
Open Payload\WhiteHouse.app\Info.plist in a text editor and search for “location.”
Mac:
plutil -p whitehouse_extracted/Payload/WhiteHouse.app/Info.plist | grep -i location
In the current version (v47.0.4+), you’ll see:
NSLocationWhenInUseUsageDescription: "This app does not use your location."
The permission string says the app doesn’t use your location. The binary contains a framework whose entire purpose is location tracking — it’s not currently active, but it’s there and could become active without an app update.
What This Means
The privacy manifest is the mechanism Apple uses to enforce data collection transparency. It’s what powers the “App Privacy” section on the App Store listing. When it declares an empty array, Apple and users see “No Data Collected.”
Our network traffic analysis confirmed the app sends your IP address, timezone, country, device model, OS version, session count, session duration, and a persistent unique identifier to OneSignal on every launch. None of it is declared.
You now have all the same files we used for our analysis. Everything in our research is verifiable from what you just extracted.
Stay tuned for our next post where we’ll walk you through how to conduct MITM traffic analysis yourself, just like we did in our network traffic analysis.
About
Atomic Computer provides cybersecurity, infrastructure, and development services. If you need a security assessment of your mobile app, get in touch.
Learn more about our Cybersecurity Services.