← Back to context

Comment by qwertox

1 year ago

Why? I think Google suggests that you send the payload encrypted through the notification. Google then only knows which app to send the message to, they don't know from whom the message originates (only "a Telegram server") nor what the content is.

Also, you could just send a notification instructing the app to fetch a new message from your server.

From the docs:

Encryption for data messages

The Android Transport Layer (see FCM architecture) uses point-to-point encryption. Depending on your needs, you may decide to add end-to-end encryption to data messages. FCM does not provide an end-to-end solution. However, there are external solutions available such as Capillary or DTLS.

https://firebase.google.com/docs/cloud-messaging/concept-opt...

6 comments

qwertox

Reply
sroerick  1 year ago

Assuming an adversarial relationship, what sort of metadata could Google capture simply knowing which app was sending the notifications and who was receiving them?

  • rpdillon  1 year ago

    Schneier mentioned this late in 2023:

    https://www.schneier.com/blog/archives/2023/12/spying-throug...

    > Wyden’s letter cited a “tip” as the source of the information about the surveillance. His staff did not elaborate on the tip, but a source familiar with the matter confirmed that both foreign and U.S. government agencies have been asking Apple and Google for metadata related to push notifications to, for example, help tie anonymous users of messaging apps to specific Apple or Google accounts.

  • throwuxiytayq  1 year ago

    Aren’t notifications enqueued on the server side, implying sender info is inscrutable? I’m curious what mechanism you’d propose to gather any valuable metadata given a sufficient volume of encrypted notifications.

  • qwertox  1 year ago

    "A Telegram server used FCM to send a message of size X to the device owned by individual Y at this timestamp and this IP address".

    Nothing else.