Comment by rickmode
2 years ago
Naive question: why not remove all sensitive data, or all data, from the notification and leave the context for a secondary API call?
2 years ago
Naive question: why not remove all sensitive data, or all data, from the notification and leave the context for a secondary API call?
Yup that is also a great way. Just send a message ID and fetch the actual content in the notification extension that can pre process incoming notifications.
I may be misreading the article, but does it seem like it alludes to metadata- and timing-related analytic techniques, rather than the contents of the notifications?
“...for metadata related to push notifications to, for example, help tie anonymous users of messaging apps to specific Apple or Google accounts.”
So maybe more, they (or somebody) send some messages to this account they want to ID, then request the specific device identifier that received notifications for that app at all of those times?
Would obfuscating the content make much difference with respect to that category of technique?