Potential Dangers of "Push Notifications"

Sesu8642 · December 25, 2023, 2:21pm

A few weeks ago, it became public that Google and Apple share push notification data with governments.
While this is hardly surprising, it made me realize that I didn’t know very much about push notifications and what threat they might pose to my privacy. So I did some research, which I’d like to share with anyone who’s interested.

What first came to my mind when thinking about push notifications was an actual notification on my phone. In reality, there is only a loose connection between the two. As it turns out, push notifications on Android refer mostly to Google’s Firebase Cloud Messaging (FCM). It is a service offered by Google that allows information to be transmitted/pushed to apps as opposed to the apps polling some server. This is done through a system component that is part of Google Play Services. All of the notification data goes through Google, so the system component only has to contact a single party. This is more energy-efficient compared to each individual app maintaining its own connection. Huawei has its own implementation of this.

The main culprits on my phone that might use FCM are messaging apps. It seems that even privacy-focused messaging apps like Threema and Signal will happily use FCM if available.
However, it is up to the developer what information goes through Google’s servers. Threema claims that the message contents are not part of the push notifications. Instead, the app is merely informed that there are new messages available on Threemas servers, which it will subsequently fetch. Signal seems to do the same, but I couldn’t find an official statement about it. This approach seems to be the most privacy-friendly way to use FCM. Other messaging apps likely send the whole (hopefully at least encrypted) message contents and metadata through FCM.

To address a notification to a certain user, the app operator uses a push token. This is a unique ID that is created when the app in question is first launched. It can also be linked to the Google account of the user.
To sum this up: When a push notification is received, Google knows:

that the concerned app is installed on the user’s device, even if not installed from the Play Store
the device is turned on at the time
full content of the push notification, possibly unencrypted, if present

In the case of messenger apps, it might be possible for Google to draw conclusions on who is chatting with each other based on the timing of push notifications people receive from a given app, even if no message contents ever go through their servers. Other information, like geolocation or synchronized contacts, could make this even easier. This, however, is pure speculation on my part.

If an app sends encrypted message contents, or metatata, through FCM, the encrypted data might be saved to be decrypted in the future once the needed technology is available. The same information is, of course, available to all parties that Google grants data access to. In the Reuters article, it is mentioned that government agencies can obtain push tokens from app operators’ servers and link them to the user’s Google account using data from Google.

How can users avoid push notifications being used by their apps? If the device has Google Play Services, push notifications will be used even if the user is not logged in with a Google account.
If the device has microG (specifically the GsfProxy component) installed instead, apps can also use the FCM service, and the privacy implications are the same as far as I can tell. However, there is at least a discussion about the issue on their GitHub page.
If the device has no push notification component installed, apps don’t seem to be able to use FCM. They might use polling or socket connections as a fallback, like Signal and Threema do.
I was so far unable to find out what WhatsApp uses when no FCM implementation is available. I think it might technically be possible for apps to have their own client implementations, but I don’t believe this is actually being done.
Lastly, there are also free implementations like UnifiedPush, which allows self-hosting.

One more concern I had was that even if I had no client implementation installed, app operators might still send notification information to Google. However, since no push token should be generated, I don’t believe this is likely.

My personal conclusion is that not having any FCM implementation installed is the most privacy-friendly and easy option, although it comes at the cost of increased battery drain.

What is your takeaway from this story? Have you relied on FCM before? Will make changes to avoid it going forward?

cliffcoggin · December 25, 2023, 3:49pm

While I find the story very plausible, I’d want a more reliable source for it than an anonymous tip to a US senator.

Sesu8642 · December 25, 2023, 4:35pm

Apple confirmed it and updated their Legal Process Guidelines accordingly.

nobrowser · December 25, 2023, 11:59pm

Does this mean that PN are mostly not possible when there’s no Giggle account on the device? That would in fact make me relax a bit about using an app that’s really networked (right now I think I use none of those)

–
Ian

Baggypants · December 26, 2023, 11:30am

There are alternatives like using UnifiedPush

Which can be integrated into NextCloud if you prefer not to use third party providers.

But apps have to be written to use this. There are a few, but not many.

Sesu8642 · December 26, 2023, 9:01pm

Being logged in with a Google account makes little difference when it comes to PN. To prevent it on the system level, you probably want to install a custom rom without “GApps” or microG. Alternatively, you can use apps that don’t use PN. I think, Threema has an option to disable it. There is also the Signal Foss fork that has it patched out.

Oakston · December 27, 2023, 5:11pm

Doesn’t matter there is no privacy online. All the apps are spying on and selling people. Stop one and others take over.

Sesu8642 · December 28, 2023, 12:28am

This is simply not true. In fact, it’s a great reason to use free/libre apps. Those usually don’t collect any data at all. And if they do, it’s normally minimal and being disclosed.

marcdw1289 · December 28, 2023, 9:00am

For push messaging to work on microG it has to be explicitly enabled. So no need to do without. Some ROM bundlers that include microG do have it enabled by default though (/e/OS I think) but it can be turned off.

Licaon_Kter · December 28, 2023, 6:56pm

Right, eg. you can have microG installed just so some dumb app does not complain about missing Play, while actually not needing said Play services anyway,

Greenactivist · January 2, 2024, 8:08pm

That is correct. It is enabled by default in e/OS on both the Fairphone 4 and the Murena 2 and so I assume this is true of other platforms. To turn it off you have to turn off “Cloud Messaging” in the microG settings. I also turn off “Google device registration” as I can’t see the point of running a Google-free OS and then registering your machine with Google, even “anonymously”. As for “Google SafetyNet”, I root my machines so it doesn’t work anyway. It means I can’t run my bank’s app on the machine but I can access the bank anyway though a browser so that is not really a loss.

system · March 2, 2024, 8:09pm

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.