Native Apps Should Be Avoided Whenever Possible
TL;DR: What you should do:
- Openly refuse apps, and vocally advocate for the web instead.
- Try not to install any apps if you don’t need to.
- If a service has a functioning website, use it instead.
- Revoke all permissions by default, including background location, microphone, and camera permissions for anything that doesn’t require them to function.
- Audit your installed apps. Uninstall all apps you don’t actively need.
- Treat every “download our app” prompt with skepticism.
Most native apps collect far more data than their website equivalents ever could. They request permissions to hardware, sensors, and background processes that browsers deliberately restrict. The third-party software embedded in these apps frequently transmits your location, device identifiers, and behavioral data to third parties before you even see a consent prompt. This data is in tandem bought, sold, and aggregated by brokers. It has been used to out individuals, track immigrants, and enable prosecution over reproductive healthcare.
The White House App
On March 27, 2026, the Trump administration released an official White House app for iOS and Android. Within hours, two independent security researchers decompiled it and published their findings [1]. The app is a textbook example of everything wrong with the native app model.
Apple requires apps to submit a privacy manifest disclosing what data they collect. The White House app declared an empty array. Zero data collection. Meanwhile, the actual binary contained ten analytics frameworks, including the full OneSignal SDK with a sub-framework specifically for location tracking [2]. The GPS pipeline polled precise coordinates every 4.5 minutes in the foreground and every 9.5 minutes in the background, syncing everything to OneSignal’s commercial servers. A boolean flag in OneSignal’s server responses could remotely enable or disable GPS tracking without an app update and without Apple review.
An Exodus Privacy audit identified three embedded trackers, one of which was Huawei Mobile Services Core [3]. The app’s privacy policy, last updated January 20, 2025, makes no mention of GPS tracking, OneSignal, or background data collection.
Nearly everything in the app is available on whitehouse.gov. The app’s unique additions are push notifications, a pre-filled text message to the President, and an ICE tip button (also available on ice.gov). What it actually added at scale was a surveillance pipeline: 77% of the app’s network requests go to third parties, not whitehouse.gov.
The Software Embedded in Apps
Most people think of apps as products built by a single company. In practice, the average app is a thin wrapper around dozens of third-party software packages, each with its own data collection pipeline and commercial incentives. When you grant an app permission to access your location, every package embedded in that app inherits that permission. A single package can appear in hundreds of apps, feeding location data on millions of people to a single aggregator.
In January 2025, a hacker breached Gravy Analytics and leaked roughly 30 million location records collected from 3,455 apps — dating, fitness, gaming, and health apps among them [4]. The FTC subsequently banned Gravy Analytics from selling Americans’ location data [5], but by then the data was already circulating on cybercrime forums.
In a separate case, Google paid $391.5 million to settle claims from 40 states for continuing to collect location data even when users explicitly disabled location tracking [6].
Why Everyone Should Care
This data is bought, sold, and aggregated by brokers. It has been used to out individuals, track immigrants, and enable prosecution over reproductive healthcare. In multiple cases, journalists and private groups have purchased app-derived location data to identify specific people based on their movements.
There are virtually no restrictions in the United States on buying, selling, or weaponizing this data. There is no comprehensive federal privacy law. And there isn’t likely to be one soon. The best we can do is minimize the data we share in the first place.
What Apps Can Do That Websites Can’t
The core argument for using the website instead of the app comes down to what each platform is technically capable of doing without your knowledge.
| Capability | Native App | Website / PWA |
|---|---|---|
| Background location tracking | Yes, can poll GPS continuously | No |
| Run at device startup | Yes | No |
| Access biometric hardware | Yes | Limited (WebAuthn, user initiated) |
| Modify or delete device storage | Yes | No (sandboxed to browser) |
| Embed invisible third-party software | Yes, all inherit granted permissions | No, scripts visible in page source |
| Transmit data before consent prompt | Yes (common with third-party software) | Restricted by browser policies |
| Push notifications while closed | Yes | Yes (PWA, user opt in required) |
| Access contacts, call logs, SMS | Yes (if permitted) | No |
| Prevent phone from sleeping | Yes | No |
| Camera and microphone | Yes (persistent if granted) | Yes (per session, prompted each time) |
| Offline functionality | Yes | Yes (via service workers) |
The browser is the security boundary. Websites operate within it. Native apps bypass it.
The Access Provided by Default is Enough to Do Real Harm
The moment you install an app, before you allow a single permission prompt, it can:
- Reach any server on the internet
- Read your IP address, device model, OS version, timezone, country, carrier, and network type
- Generate and persist a unique identifier tied to your device
- Run code at device startup (Android) and wake up in the background
- Fingerprint your device by combining the above into a signature that follows you across sessions
- Grant all of this same access to every third-party software package embedded in the app
- Compare this data to other datasets to infer your identity, demographics, interests, and habits
The runtime permission prompts you actually see (location, camera, contacts) are helpful while annoying, but the majority of the default access permissions do not require your consent.
A website, by contrast, starts with almost none of this: no persistent identifier, no background execution, no third-party software inheritance, no startup hooks.
Some Things Need to Be Apps, But Most Don’t
Some things need to be apps. AR and VR, real-time games, anything talking to NFC or Bluetooth hardware, serious audio and video work, accessibility tools. These are legitimate cases where the browser sandbox is the limitation. In these circumtances, I personally use a full computer as opposed to my phone.
Almost nothing else qualifies. Your banking, your travel, your grocery store, the restaurant down the street — none of it needs an app. And rewards be damned. No rewards are worth the data you are willingly giving them.
Same goes for hardware. If a thermostat or a fitness tracker can’t be set up without a proprietary app, that’s a flaw in the product, not a feature. I immediately avoid such products. You’re buying an ongoing relationship with someone else’s servers and guaranteeing that you’ll forget that corporations are watching everything they can.
Conclusion
I avoid most apps. It turns out this is easier than most people assume, because the app is almost never the only option. It is just the option the company wants you to take and not enough people question.
We are at a very specific time in humanity right now. Where aggregating data is a currency, and it is actively being utilized at a scale never before seen. I recommend you at least take stock of what you’re freely giving away.
References
1. I Decompiled the White House’s New App (Thereallo, March 28, 2026) and Security Analysis of the Official White House iOS App (atomic.computer, March 27, 2026). Two independent researchers decompiled the app on Android and iOS within hours of release.
2. Security Analysis of the Official White House iOS App (atomic.computer). Documents the empty privacy manifest, OneSignal SDK with ten sub-frameworks, and the remote GPS toggle via server response.
3. Exodus Privacy Report: gov.whitehouse.app. Automated audit identifying three embedded trackers including Huawei Mobile Services Core. Additional context in Fedware: 13 Government Apps That Spy Harder Than the Apps They Ban (Sam Bent).
4. A breach of Gravy Analytics’ huge trove of location data threatens the privacy of millions (TechCrunch, January 13, 2025).
5. FTC Finalizes Order Prohibiting Gravy Analytics, Venntel from Selling Sensitive Location Data (FTC, January 14, 2025).
6. Google to pay $391.5 million in location tracking settlement with 40 states (TechCrunch, November 14, 2022).