The case was the first time authorities charged people for alleged “Antifa” activities after President Trump designated the umbrella term a terrorist organization.
It always bears repeating, push notifications are not private, neither for Android, GrapheneOS, nor iOS, even if you use end-to-end encryption. If you are privacy conscious, you should either use settings to hide sensitive data from push notifications or turn them off altogether.
If you turn off notification history on Android, should be enough to avoid such “attacks”. Hiding sensitive content inside notifications only hides it in the lock screen. If your OS keeps a clear log of them, it’s useless.
Edit: didn’t know Signal actually has settings to hide their own notifications. I was thinking about Android’s “hide sensitive content” setting.
Local, on-device apps don’t need to go through FCM or any other servers to show notifications, apps generate notifications offline.
Same goes for Signal, it doesn’t ask FCM to deliver a notification, it asks to deliver a wakeup ping, and then the Signal app gets the message and generates a notification locally.
Signal only sends a “new message, retrieve the rest from Signal” ping to your phone through Firebase. It doesn’t contain message details, just that you have a new message.
Notification logging is usually done by some other part of android as far as I know. GMS is the typical way to deliver notifications and is a far more serious privacy concern, since it also directly passes googles servers and is not encrypted. However as others mentioned, signal does not send contents there, message notifications with the message contents stay on device.
If you don’t use Google Play Services, you don’t get push notifications, so yes. Libre reimplementations of Google Play Services such as Gapps etc. or alternative push notification providers do not circumvent this issue, except possibly self-hosted push notification providers. This approach is really rare though and limited generally to very few apps.
This is about a history of notifications locally on the phone.
This is implemented outside of gms at least on my rom, and in the past I have also installed a separate app to do the same.
If you log your notifications … that log can leak your notifications.
Yes, I know! Sorry for the confusion, I just wanted to take the opportunity to raise awareness about a privacy issue that lots of people aren’t aware of
If I turn off notifications on my end, does the other person still generate a push notification when they send me a message, even if I never receive it?
Edit: Sorry, I think I misunderstood your question. If you don’t have Google Play Services enabled but your friend does and messages you, no, a push notification won’t be sent, but if you message them, one will be sent to them.
I thought you were asking if you just disabled notifications on your phone if that would prevent push notifications from being sent. I’ll leave my original answer in case someone else has that question.
It depends on what exactly you mean, but usually not. If you mean in your phone’s notifications management settings, that does not affect the push notifications being sent to Google/Apple servers, that’s just a local setting to decide how your phone handles it.
Some apps, though rarely, allow you to disable push notifications from being sent. If it exists, this is inside a settings screen in the app itself or on the app provider’s website somewhere. Generally, only privacy-conscious apps provide such settings.
To send you a push notification, an app requires a special token specific to that app and your device, kinda like an API key, which can only be generated for a device using Google Play Services. Without that token, a push notification cannot be sent. These tokens expire, so if you used Google Play Services and just turned it off, push notifications will still get sent into the ether - but never delivered - until the token expires, at which point notifications can’t be sent anymore. Badly developed apps might still try to send push notifications with expired tokens, I have no idea what Google servers would do with that, but I’d guess they would just discard it immediately.
You might be getting pull notifications, that’s generally the workaround for push notifications being disabled - it generally increases battery usage because it forces the app to stay open in the background.
A push notification is pretty much just a ping that wakes up the app that is supposed to show you the notification. There usually isnt much data in that ping, so the only thing the Google firebase servers (or whatever other backend solution you use) see is a timestamp and an app. If you then disable Notification historie (default is off bzw on GraphenOS) there is no other data stored anywhere.
That’s metadata that every single chat service has, no matter if its E2EE or not, because that’s the bare minimum they need to transmit anything at all. If that already isn’t private for you then you’d have to stop using the internet or phonecalls entirely and go back to carrier pidgeons.
It depends on the app. Some apps do (or can be configured to) indeed send “empty”/blank notifications which just notify you that you’ve received a new message from an app, but not from whom, or what the message contains.
However most apps by default will contain more data, such as who the message is from, and some/all of the sent message body.
If you get a push notification on your phone, everything you see in that notification must by definition pass through the push notification service.
You seem to be under an impression that the actual notification that you see in the notification shade of your phone must go through FCM. That is not true. There are no external services involved in generating notifications on Android, apps can just show notifications by themselves.
What FCM is used for is sending a wakeup call to an app. The naming is confusing, but the “notification service” is not sending a notification in the sense of what you see in the notification shade. It is notifying an app of an event. The app can then react in any way it wants, possibly by creating a notification for the notification shade. But the notification you see in the UI of your phone didn’t go through FCM.
Some apps do (or can be configured to) indeed send “empty”/blank notifications which just notify you that you’ve received a new message from an app, but not from whom, or what the message contains.
And this is a completely separate thing. Yes, you can configure apps to not show details in notifications, but that has nothing to do with FCM. It only controls what the app does locally, when generating the local notification, after FCM is no longer involved (if it was involved in the first place - many notifications don’t need it, for example a notification from a timer app).
If you get a push notification on your phone, everything you see in that notification must by definition pass through the push notification service.
This statement is easy to disprove in another way too. FCM only supports sending up to 4KB of data, and yet you can get a notification with high resolution images. Which also shows that no, things you see in the notification didn’t have to pass through the push notification service - the local app got the data and prepared the notification by itself, possibly after being woken up to do so by FCM.
If you use GrapheneOS with push notifications, after enabling Google Play Services, those push notifications are relayed through Google servers. Most apps will include message sender and text in the push notification, meaning that data will pass through Google servers and they can read it.
If you are a GrapheneOS user and leave Google Play Services disabled - which they are by default - you have nothing to worry about, but notifications are generally delayed and use more battery as a downside.
Signal doesn’t send anything in the payload. They just use it to wake the phone up and then download all messages that are waiting to be delivered through the usual encrypted means. All Google knows is that something happened at that time. They don’t know anything else.
So it’ll use TLS encryption, meaning that others on your network won’t be able to snoop it, but not end-to-end encryption, so Google/Apple servers will see the plaintext of the push notification content.
This is a limitation of the specific implementation of how push notifications work. End-to-end encrypted push notifications would be technically possible but it would require Apple/Google to make it possible. Developers can’t implement it without getting you to run some services yourself, either self-hosted or a long-running background process on your phone, which would be a battery drain.
The link you shared isn’t really relevant to push notifications specifically.
The best happy medium we can get is to send empty/blank push notifications, which some apps including Signal offer as an option, but you often need to set it that way in the settings. I think Signal does that by default, but very few apps do.
The push notification for most messengers is a ping with little to no data in it, telling the app to grab messages directly via TLS. That’s how e2e works with push.
It depends on the app. Some apps do (or can be configured to) indeed send “empty”/blank notifications which just notify you that you’ve received a new message from an app, but not from whom, or what the message contains.
However most apps by default will contain more data, such as who the message is from, and some/all of the sent message body.
If you get a push notification on your phone, everything you see in that notification must by definition pass through the push notification service.
I’d disagree with “most messengers” doing that, in my experience, most don’t do it by default. Signal is a pretty rare exception to do so by default.
I’d disagree with “most messengers” doing that, in my experience, most don’t do it by default. Signal is a pretty rare exception to do so by default.
What messenger doesn’t? Signal, WhatsApp, Matrix, Snapchat, Discord, Telegram, etc. I’d say “most” is pretty accurate. No idea what Wechat does, but that’s a whole different story.
If you get a push notification on your phone, everything you see in that notification must by definition pass through the push notification service.
Also not true. What you “see” could have been retrieved post-notification, as described in the message you responded to. What you see has nothing to do with what goes through the push service and is a full technical inacurracy.
It always bears repeating, push notifications are not private, neither for Android, GrapheneOS, nor iOS, even if you use end-to-end encryption. If you are privacy conscious, you should either use settings to hide sensitive data from push notifications or turn them off altogether.
If you turn off notification history on Android, should be enough to avoid such “attacks”. Hiding sensitive content inside notifications only hides it in the lock screen. If your OS keeps a clear log of them, it’s useless.
Edit: didn’t know Signal actually has settings to hide their own notifications. I was thinking about Android’s “hide sensitive content” setting.
Notifications go through FireBase Cloud Messaging (FCM) on Android. They bounce off a Google server. Even from local, on-device apps.
Same with iOS.
They can read and store every one of them, and you don’t control the encryption keys.
Local, on-device apps don’t need to go through FCM or any other servers to show notifications, apps generate notifications offline.
Same goes for Signal, it doesn’t ask FCM to deliver a notification, it asks to deliver a wakeup ping, and then the Signal app gets the message and generates a notification locally.
Signal only sends a “new message, retrieve the rest from Signal” ping to your phone through Firebase. It doesn’t contain message details, just that you have a new message.
But they only instruct Signal to wake up and download whatever is waiting. They don’t contain the message contents.
By not having Google Play Services, isn’t this prevented?
Notification logging is usually done by some other part of android as far as I know. GMS is the typical way to deliver notifications and is a far more serious privacy concern, since it also directly passes googles servers and is not encrypted. However as others mentioned, signal does not send contents there, message notifications with the message contents stay on device.
If you don’t use Google Play Services, you don’t get push notifications, so yes. Libre reimplementations of Google Play Services such as Gapps etc. or alternative push notification providers do not circumvent this issue, except possibly self-hosted push notification providers. This approach is really rare though and limited generally to very few apps.
This is about a history of notifications locally on the phone.
This is implemented outside of gms at least on my rom, and in the past I have also installed a separate app to do the same.
If you log your notifications … that log can leak your notifications.
Yes, I know! Sorry for the confusion, I just wanted to take the opportunity to raise awareness about a privacy issue that lots of people aren’t aware of
If I turn off notifications on my end, does the other person still generate a push notification when they send me a message, even if I never receive it?
Edit: Sorry, I think I misunderstood your question. If you don’t have Google Play Services enabled but your friend does and messages you, no, a push notification won’t be sent, but if you message them, one will be sent to them.
I thought you were asking if you just disabled notifications on your phone if that would prevent push notifications from being sent. I’ll leave my original answer in case someone else has that question.
It depends on what exactly you mean, but usually not. If you mean in your phone’s notifications management settings, that does not affect the push notifications being sent to Google/Apple servers, that’s just a local setting to decide how your phone handles it.
Some apps, though rarely, allow you to disable push notifications from being sent. If it exists, this is inside a settings screen in the app itself or on the app provider’s website somewhere. Generally, only privacy-conscious apps provide such settings.
So how does it decide to generate a push notification or not?
To send you a push notification, an app requires a special token specific to that app and your device, kinda like an API key, which can only be generated for a device using Google Play Services. Without that token, a push notification cannot be sent. These tokens expire, so if you used Google Play Services and just turned it off, push notifications will still get sent into the ether - but never delivered - until the token expires, at which point notifications can’t be sent anymore. Badly developed apps might still try to send push notifications with expired tokens, I have no idea what Google servers would do with that, but I’d guess they would just discard it immediately.
I don’t use Play Services and still get push notifications from Signal, so they’re clearly using an alternative implementation.
You might be getting pull notifications, that’s generally the workaround for push notifications being disabled - it generally increases battery usage because it forces the app to stay open in the background.
Molly supports unified push
That would make sense.
Is this true if you don’t have Google Play Services but the person you’re messaging does? Is one person cutting GPS out enough?
The message you send them would probably go through as a push notification to them, but the message they send you wouldn’t.
@4am @MrSoup wtf
I’m actually talking about sensitive data on Google/Apple hosted servers, as well as on the phone itself!
That depends on your definition of private.
A push notification is pretty much just a ping that wakes up the app that is supposed to show you the notification. There usually isnt much data in that ping, so the only thing the Google firebase servers (or whatever other backend solution you use) see is a timestamp and an app. If you then disable Notification historie (default is off bzw on GraphenOS) there is no other data stored anywhere.
That’s metadata that every single chat service has, no matter if its E2EE or not, because that’s the bare minimum they need to transmit anything at all. If that already isn’t private for you then you’d have to stop using the internet or phonecalls entirely and go back to carrier pidgeons.
It depends on the app. Some apps do (or can be configured to) indeed send “empty”/blank notifications which just notify you that you’ve received a new message from an app, but not from whom, or what the message contains.
However most apps by default will contain more data, such as who the message is from, and some/all of the sent message body.
If you get a push notification on your phone, everything you see in that notification must by definition pass through the push notification service.
You seem to be under an impression that the actual notification that you see in the notification shade of your phone must go through FCM. That is not true. There are no external services involved in generating notifications on Android, apps can just show notifications by themselves.
What FCM is used for is sending a wakeup call to an app. The naming is confusing, but the “notification service” is not sending a notification in the sense of what you see in the notification shade. It is notifying an app of an event. The app can then react in any way it wants, possibly by creating a notification for the notification shade. But the notification you see in the UI of your phone didn’t go through FCM.
And this is a completely separate thing. Yes, you can configure apps to not show details in notifications, but that has nothing to do with FCM. It only controls what the app does locally, when generating the local notification, after FCM is no longer involved (if it was involved in the first place - many notifications don’t need it, for example a notification from a timer app).
This statement is easy to disprove in another way too. FCM only supports sending up to 4KB of data, and yet you can get a notification with high resolution images. Which also shows that no, things you see in the notification didn’t have to pass through the push notification service - the local app got the data and prepared the notification by itself, possibly after being woken up to do so by FCM.
Wdym push notifications are not private on Graphene??
If you use GrapheneOS with push notifications, after enabling Google Play Services, those push notifications are relayed through Google servers. Most apps will include message sender and text in the push notification, meaning that data will pass through Google servers and they can read it.
If you are a GrapheneOS user and leave Google Play Services disabled - which they are by default - you have nothing to worry about, but notifications are generally delayed and use more battery as a downside.
I am no Android developer, but can’t the push notification payload be encrypted?
https://firebase.google.com/docs/cloud-messaging/encryption
A better question is if Signal does this already.
Signal doesn’t send anything in the payload. They just use it to wake the phone up and then download all messages that are waiting to be delivered through the usual encrypted means. All Google knows is that something happened at that time. They don’t know anything else.
No, push always leaks metadata to Google. Use molly (signal fork on fdroid) and unified push instead.
So it’ll use TLS encryption, meaning that others on your network won’t be able to snoop it, but not end-to-end encryption, so Google/Apple servers will see the plaintext of the push notification content.
This is a limitation of the specific implementation of how push notifications work. End-to-end encrypted push notifications would be technically possible but it would require Apple/Google to make it possible. Developers can’t implement it without getting you to run some services yourself, either self-hosted or a long-running background process on your phone, which would be a battery drain.
The link you shared isn’t really relevant to push notifications specifically.
The best happy medium we can get is to send empty/blank push notifications, which some apps including Signal offer as an option, but you often need to set it that way in the settings. I think Signal does that by default, but very few apps do.
Not true.
The push notification for most messengers is a ping with little to no data in it, telling the app to grab messages directly via TLS. That’s how e2e works with push.
As I wrote elsewhere:
I’d disagree with “most messengers” doing that, in my experience, most don’t do it by default. Signal is a pretty rare exception to do so by default.
What messenger doesn’t? Signal, WhatsApp, Matrix, Snapchat, Discord, Telegram, etc. I’d say “most” is pretty accurate. No idea what Wechat does, but that’s a whole different story.
Also not true. What you “see” could have been retrieved post-notification, as described in the message you responded to. What you see has nothing to do with what goes through the push service and is a full technical inacurracy.