Governments spying on Apple and Google users through phone notifications, U.S. senator says
Governments spying on Apple and Google users through phone notifications, U.S. senator says
U.S. Senator Ron Wyden warned that foreign governments are spying on smartphone users by compelling Apple and Google to turn over push notification records
I guess that would explain the difficulties some apps face without push notifications and releasing APKs. These big companies want you to rely on their systems. Signal was pushing their app through play store. I don't know if an equivalent exists, but it really needs to. We need this, combined with f-droid, so we don't have to use spyware like the Play Store.
Signal does in fact distribute an APK that isn't dependant on Play Services/FCM on their website. Uses a websocket, so not the most elegant way I guess, but oh well.
It's rather hidden, which I think is disappointing. But it exists. Updates itself, too.
Just don't use push, almost all of the privacy respecting apps have their own notifications
And also, there's ntfy for some (hope to be more widespread)
Anyone could explain how push messages work? Let's think about WhatsApp or Signal notifications, they contains lots of data, even if we think only about metadata, that is also a lot, if you try to find someone and examine tons of anonymous pushes to find 'that needed' ones? Seems possible. Um..
For android, Google uses Firebase Cloud Messaging, basically a server that pings the phone when a notification for an app is available, which wakes the app up to receive the notification. There are alternatives but they need to be adopted by app devs for them to work.
For people running a degoogled android, they'll notice most apps won't receive any notifications until they open the apps since most apps rely on Google Play Services to receive a ping from FCM.
I don't have any google play services so most of my apps don't give me push notifications but I do have WhatsApp installed and that still receives notifications, they're sometimes delayed by a few minutes which makes me think Meta have their own implementation/alternative to FCM but I'm not sure.
For Signal, their servers tell Googles FCM servers that you have notifications waiting on Signals servers and to wake up your Signal app so it can communicate with Signals servers to receive your messages.
WhatsApp and Signal claim/have end-end encryption on their messages but that shouldn't matter when specifically looking at Googles FCM servers so, at most it would be meta data that could be obtained from the FCM servers.
https://jami.net/unifiedpush/ has a pretty basic explanation of push notifications on android and also showcases an alternative to FCM https://unifiedpush.org/ which has a nice little diagram about push notifications on android. Unfortunately, Unifiedpush is not widely adopted by many applications.
So there are ways to avoid Googles FCM servers on android using Unifiedpush or always having the application on in the background but for the most part FCM is used.
Curious about this too. From what I could find, for those it seems like the push is being used to wake up the app and tell it to connect to the server where it grabs the data and then creates the notification locally. Even if a bare minimum is used there is room for traffic analysis, and I imagine Google can easily tell the app being targeted for the push, but it shouldn't mean the contents of the displayed notification are necessarily what was sent through the server. It's hard to find info without digging because consumer-facing stuff just calls every notification a push notification.
The alternative is an app keeping a constant connection open to the server, which understandably mobile OSs don't like. With push only the one service needs to keep an open connection to provide updates for all the apps.