“App developers can encrypt these messages when they’re stored (in transit they’re protected by TLS) but the associated metadata – the app receiving the notification, the time stamp, and network details – is not encrypted.”

  • GolfNovemberUniform
    link
    fedilink
    arrow-up
    27
    arrow-down
    1
    ·
    9 months ago

    And of course nobody is going to fix these vulnerabilities because the governments want to be able to view that data

    • Fisch
      link
      fedilink
      arrow-up
      6
      ·
      edit-2
      9 months ago

      The fix would be very easy. Just don’t store that data. But Google and Apple obviously want that data for themselves as well, for advertising.

      • GolfNovemberUniform
        link
        fedilink
        arrow-up
        3
        ·
        9 months ago

        Tbh I absolutely do not understand why they decided to collect any data for push notifications in the first place. But yea now nobody will fix it. Though I’m wondering if it’s only the proprietary part (Firebase or whatever the name is) or the system itself that collects data. I mean if I use a degoogled phone that doesn’t even have that proprietary part (means notifications from IMSes don’t work either), am I safe from this or not? And does the collected data go to Google or to the app’s developers?

        • Fisch
          link
          fedilink
          arrow-up
          1
          ·
          9 months ago

          I already explained how the whole push notification thing works in this comment. If you’re using a degoogled phone, you’ll be fine. MicroG has the option to use Firebase but you need to be logged in with a Google account, enable device registration and enable cloud messaging for it to use it. Google has the data about when you got a push notification from what app since it goes through their server and the app developer can obviously log the notification data from their app.

          • GolfNovemberUniform
            link
            fedilink
            arrow-up
            1
            arrow-down
            1
            ·
            9 months ago

            BRUH push notifications with Firebase require everything going through a Google server? What in the deleted is that design?

            • Fisch
              link
              fedilink
              arrow-up
              1
              ·
              9 months ago

              I don’t like Google either but this design makes perfect sense. There’s a reason UnifiedPush works the same way. It sucks that you can’t choose a different server but that’s just how Google does things.

              • GolfNovemberUniform
                link
                fedilink
                arrow-up
                1
                arrow-down
                1
                ·
                9 months ago

                In my opinion there’s absolutely no point in sending notifications through Google. It can be done differently and in a much less overengineered way. Unification doesn’t make sense here. The additional features don’t work in half of the apps now anyways

                • Fisch
                  link
                  fedilink
                  arrow-up
                  1
                  ·
                  9 months ago

                  If you have a better way to do this, I’d really like to hear it. Also, what additional features are you talking about?

                  • GolfNovemberUniform
                    link
                    fedilink
                    arrow-up
                    1
                    ·
                    edit-2
                    9 months ago
                    1. I’m not a very advanced Android programmer but I know it’s possible to make something like universal instructions and dependency lists (if you want unification which I personally don’t support). Linux has push notifications for years and on Android they work too if the app is running in the background. In my opinion the app should control the contact with its servers. Just make a daemon or something like that so the whole app doesn’t have to stay in memory. Yes it’s messy and battery life will be worse but monopolizing is always bad. Federating Firebase is a good idea too but I personally prefer the other method because it gives more flexibility
                    2. Video/music progress bar on Firefox for example
      • EngineerGaming@feddit.nl
        link
        fedilink
        arrow-up
        1
        ·
        9 months ago

        The fix would be different - not have it go through “someone else’s computer”. Whenever “someone else’s computer” is involved, you should just assume they log everything. Even if they don’t do it and don’t want to - they can be silently made to do so.

        • Fisch
          link
          fedilink
          arrow-up
          3
          ·
          9 months ago

          But there’s also UnifiedPush. If apps used that, you could just selfhost that server. A lot of open source apps do use it. I, for example, have a phone with MicroG and I didn’t enable cloud messaging. I also have a Nextcloud server, where I installed the UnifiedPush provider and I use NextPush on my phone as the UnifiedPush app. Works great and that way a lot of apps I have don’t need to run in the background constantly.