Comment by multiplegeorges
2 years ago
Compromise a single phone in a target group, send a message to an anonymous chat, and you now know every other member of the group.
Apple needs to know your Apple ID to send you an APNS payload. Now your anonymous chat profile is tied to your real Apple ID. Busted.
This is not necessarily true. You’re assuming that all the info is in push notifications themselves.
E.g: if I get a push notification that is simply “you have a new event, poll the server”, and then I poll the server for (encrypted) batch updates, where exactly do you see the leak that ties an anonymous profile to an Apple ID? Given a large enough service, that same generic batch update endpoint would be getting hammered and I have to think it would effectively be camouflaged to a degree.
Granted, not every app is going to use this design - but if or when done properly I don’t see that much of an issue here.
(I am open to being wrong, mind you)
Very delayed reply here, but it's a timing attack, I think.
If the government has access to telco resources (I think it's safe to assume that they can and do), then they can line up the timing of a chat message with the push notifications it triggers.
If we are chatting and the government doesn't know who I am, it will only be a matter of time before the number and timing of the push notifications I receive line up in a unique way to the messages you sent me. That would work for every member of the group.
Apple could bundle up multiple push notifications to obfuscate it a bit, but it would hurt real-time communications and wouldn't be that strong of a mitigation anyway.