• JASN_DE@feddit.de
    link
    fedilink
    English
    arrow-up
    9
    ·
    11 months ago

    That depends a lot on what you’re hosting resp. if the mobile apps are using Google’s/Apple’s messaging/notification services.

    • whofearsthenight@lemm.ee
      link
      fedilink
      English
      arrow-up
      10
      ·
      11 months ago

      Sort of. If you’re receiving a notification from a remote server on iOS or standard android, they go through Apple or googles servers. That said, some apps rather than sending your device the actual notification (where this vulnerability comes from) will instead send a type of invisible notification that basically tells the app to check for a new message or whatever and then will display a local notification so the actual message stays on device and inside of the hosting services servers (like a self host.)

      • towerful@programming.dev
        link
        fedilink
        English
        arrow-up
        5
        ·
        edit-2
        11 months ago

        That said, some apps rather than sending your device the actual notification

        Pretty sure that is actually the recommendation from apple/google, as it reduces bandwidth for their notification servers.
        I think the message payload is severely limited.
        Like, pre-ios8 the limit was 256 bytes. Now it’s 2kb.

        https://stackoverflow.com/a/6316022

        • whofearsthenight@lemm.ee
          link
          fedilink
          English
          arrow-up
          2
          ·
          11 months ago

          I didn’t know that. Hmm, sounds like it’s decently likely this is a bit overblown then. I mean, I suppose there are a lot of lazy companies out there that will skip this, but that severely limits the functionality in a way that it’s going to force the secure method.

          • towerful@programming.dev
            link
            fedilink
            English
            arrow-up
            4
            ·
            edit-2
            11 months ago

            It opens users to timing attacks.
            If there are 10000 notifications per second. And across 100 incidents user A does something to cause a notification and user B receives a notification within network latency time periods, it is likely user A is talking to user B.
            Whilst that seems like arbitrarily useless data, having this at the giga/peta scale that the US government is processing it, you can quickly build a map of users “talking” to users.
            Now, this requires the help of other parties. You need to know that user A is using WhatsApp at the time. And yeh, you don’t know what the message is, but you know that they are hitting WhatsApps servers. And you know that within 5 minutes of User B receiving a notification, they are also then contacting WhatsApp servers.
            So now you know that user A is likely talking to user B via WhatsApp.
            And also user G, I X and M are also involved in this conversation.
            And you bust user G on some random charge. And suddenly warrants are issued for more detailed examination of users A, B, I, X and M.
            Maybe they have nothing to hide and are just old college friends. Or maybe they are a drug ring, or whatever.

            It’s all the “I have nothing to hide”, phones being tied to a person, privacy and all that.
            We can’t really comprehend the data warehouse/lake/ocean level of scale required to realise what all the little pieces of meta data and tracking information being able to add up to “User A is actually this person right here right now and they bought a latte at Starbucks and got 5 loyalty points” level of tracking.

            Is it likely this bad?
            Probably.
            Theres the “Target knows I’m pregnant before told anyone” story.
            https://www.forbes.com/sites/kashmirhill/2012/02/16/how-target-figured-out-a-teen-girl-was-pregnant-before-her-father-did/

            That’s over a decade ago. It’s not let off. And you can bet that governments are operating at a level a few years beyond private industry.

            So yeh, every bit of metadata counts

        • KairuByte@lemmy.dbzer0.com
          link
          fedilink
          English
          arrow-up
          1
          ·
          11 months ago

          Honestly, they likely also suggest this in an attempt at privacy. For all their other faults, Apple has always championed security and privacy.