A few weeks ago, it became public that Google and Apple share push notification data with governments.
While this is hardly surprising, it made me realize that I didn’t know very much about push notifications and what threat they might pose to my privacy. So I did some research, which I’d like to share with anyone who’s interested.
What first came to my mind when thinking about push notifications was an actual notification on my phone. In reality, there is only a loose connection between the two. As it turns out, push notifications on Android refer mostly to Google’s Firebase Cloud Messaging (FCM). It is a service offered by Google that allows information to be transmitted/pushed to apps as opposed to the apps polling some server. This is done through a system component that is part of Google Play Services. All of the notification data goes through Google, so the system component only has to contact a single party. This is more energy-efficient compared to each individual app maintaining its own connection. Huawei has its own implementation of this.
The main culprits on my phone that might use FCM are messaging apps. It seems that even privacy-focused messaging apps like Threema and Signal will happily use FCM if available.
However, it is up to the developer what information goes through Google’s servers. Threema claims that the message contents are not part of the push notifications. Instead, the app is merely informed that there are new messages available on Threemas servers, which it will subsequently fetch. Signal seems to do the same, but I couldn’t find an official statement about it. This approach seems to be the most privacy-friendly way to use FCM. Other messaging apps likely send the whole (hopefully at least encrypted) message contents and metadata through FCM.
To address a notification to a certain user, the app operator uses a push token. This is a unique ID that is created when the app in question is first launched. It can also be linked to the Google account of the user.
To sum this up: When a push notification is received, Google knows:
- that the concerned app is installed on the user’s device, even if not installed from the Play Store
- the device is turned on at the time
- full content of the push notification, possibly unencrypted, if present
In the case of messenger apps, it might be possible for Google to draw conclusions on who is chatting with each other based on the timing of push notifications people receive from a given app, even if no message contents ever go through their servers. Other information, like geolocation or synchronized contacts, could make this even easier. This, however, is pure speculation on my part.
If an app sends encrypted message contents, or metatata, through FCM, the encrypted data might be saved to be decrypted in the future once the needed technology is available. The same information is, of course, available to all parties that Google grants data access to. In the Reuters article, it is mentioned that government agencies can obtain push tokens from app operators’ servers and link them to the user’s Google account using data from Google.
How can users avoid push notifications being used by their apps? If the device has Google Play Services, push notifications will be used even if the user is not logged in with a Google account.
If the device has microG (specifically the GsfProxy component) installed instead, apps can also use the FCM service, and the privacy implications are the same as far as I can tell. However, there is at least a discussion about the issue on their GitHub page.
If the device has no push notification component installed, apps don’t seem to be able to use FCM. They might use polling or socket connections as a fallback, like Signal and Threema do.
I was so far unable to find out what WhatsApp uses when no FCM implementation is available. I think it might technically be possible for apps to have their own client implementations, but I don’t believe this is actually being done.
Lastly, there are also free implementations like UnifiedPush, which allows self-hosting.
One more concern I had was that even if I had no client implementation installed, app operators might still send notification information to Google. However, since no push token should be generated, I don’t believe this is likely.
My personal conclusion is that not having any FCM implementation installed is the most privacy-friendly and easy option, although it comes at the cost of increased battery drain.
What is your takeaway from this story? Have you relied on FCM before? Will make changes to avoid it going forward?