In this video I discuss how a recent DOJ letter revealed that Apple and Google were sending peoples push notifications to foreign governments.
For those who simply want the information:
Why in the hell do push notifications need to be generated on google/apple servers? I’m sure our phones are more than capable of processing the information from the app to the lock screen.
The general design is a single system component wakes up the device when it’s sleeping (such as during screen off) and checks in with Apple/Google servers to see if there are any notifications.
Why?
Imagine if every app needed to wake up your device and make network requests to check for notifications etc. The more apps, the faster your battery drain as a queue of apps grows, constantly waking up your device to call home and check for notifications.
Hence Push Notification Services. Instead, developers send a notification to Apple/Google who then pool those notifications with notifications from other apps/developers. Then the single notification service on your device periodically wakes up the device and checks for notifications.
Additionally, push notification systems by OSs are designed with efficiency and minimal networks requests and bandwidth utilisation so an app can’t chew up user’s data quotas due to being poorly written.
TL;DR: It saves battery and network data, enabling users to use more apps.
I’m curious why “push notifications” really act like “pull notifications.” Your phone has to request updates from Google/Apple’s server. You’re still just polling a server frequently. Why is it not the other way around? Why is your phone not the server, and Google/Apple make the “request” to your phone?
The term “push notification” comes from how it enables developers to “push” users, even when they’re not active.
An app developer can (potentially) vibrate a device, make it emit noise, flash a light, appear on the screen, and exist in a set of notifications pinned to the tops of the screens.
Check out Three Minute Games’ mobile game series Lifeline. I think that it beautifully illustrates “pushing”. How the game pushes you to help someone survive in real time, through messages that appear alongside your real notifications.
The game tells you when you’re playing, not the other way round. Buzz buzz, come and play with me.
It’s the difference between polling notifications, where each app wakes up once a minute and goes to ask their respective servers if there are any new notifications, and push notifications which, as the name suggests, are pushed to your phone once they arrive so those apps can sleep.
That’s why you should disable notifications for apps who shows sensitive information.
Signal does a good way of doing it they only signal (hehe) their app that their is a notification, then the apps gets this information itself.
I want to add that WhatsApp doesn’t send message content within notifications either.
I know WhatsApp isn’t very popular around here (for valid reasons), but it uses end-to-end encryption, notifications or not.
it uses end-to-end encryption
At least they say they do, but we can’t really verify that.
You’d expect nothing less from Signal, but there’s still metadata left that can be quite useful.
They offer an alternative version for Android that uses a web socket, so not the best solution either, but oh well. I’d like to see them support UnifiedPush officially though. The Molly fork does, for instance.
A lot more elegant than a web socket, and if more apps supported it, you’d have less apps all running their own service in the background. Well, speaking for a degoogled system, where this would matter a lot more.
The simple information when you receive a notification for a specific app can be combined with a whole lot of other info about you that’s being collected by big tech and/or governments.
Time stamps are a surprisingly telling trail.
What I wonder about is if the push notifications are ‘sent’ anyway, ie through the network and the phone just doesn’t do anything with them? Does anyone know?
Removing the notifications permission doesn’t prevent them from being sent. Source
Exactly. The issue is that the app still sends the notification to the cloud server. The cloud server doesn’t forward that notif to your device if you have notifs turned off, but it still gets sent to the server regardless. Which means it’s still subject to be shared with the government.
I use Pushover for my own notifications and was curious to see if they had any info on this. Fortunately they’ve got a note on their page: https://blog.pushover.net/posts/2023/12/encryption
Good thing I have push notifications off for fucking everything
The question is - are they off so they are not sent or are they off so you don’t see them? Sorry for tinfoil
I think they are saying the notifications are still sent. They are going from the app servers to the push servers. From the push servers they COULD go to the Gov and to your phone. Your have the notifications turned off so they don’t go to your phone. Doesn’t mean they don’t get sent elsewhere though
