Comment by diebeforei485
2 years ago
Push notifications are sent from an app server to an individual device, correct? And the device enrolls with the server for receiving push notifications.
Why isn't there key exchange happening at the time of enrollment? Why is it something apps have to manually do? We moved the web to https everywhere for a reason, why are apps behind the web in privacy?
Potentially stupid question - how is iMessage encrypted end to end if the notifications aren't?
Apps can still do what they want in the content of the notification. This includes encrypting the content however they'd like. By default, though, apps don't encrypt the content. And the metadata (what appleID is receiving notifications from what app) is still known to Apple.