← Back to context

Comment by wongarsu

2 years ago

Push notifications are such a great way to spy on people, because so many apps send highly private information as push notification. Even if you install them on-premise, because the only well-supported battery-friendly way to send notifications is through Google's and Apple's servers.

The most serious of secure messengers moved to push notifications that just cause the app to wake up and fetch the real message from the server to show as notification, but there are still plenty of apps that just send the full message as push notification.

16 comments

wongarsu

Reply
wtf_srsly  2 years ago

As far as I know, WhatsApp on iOS uses a special entitlement (com.apple.developer.usernotifications.filtering) for securely handling notifications.

They receive silent push notifications, which wake up the app (a reason for the entitlement being restricted). Once awake, the app takes over, managing the notification itself.

This approach circumvents sending notification content in cleartext through Apple's servers, thereby preserving their end-to-end encryption.

wutwutwat  2 years ago

> Even if you install them on-premise,

You mean on-premises? If so, please show me where I can download and run my own APNS servers on my own hardware, because such a thing does not exist. You can run your own workers, which send through APNS/apple's servers, but there is no such way you can own the entire chain to get a push from your backends to a apple device, not if you're using native push notifications.

AFAIK, google isn't any better, with GCM, and even firebase use that from what I know.

Jason_Protell  2 years ago

What are the most serious secure messengers?