This is a most excellent place for technology news and articles.
It always bears repeating, push notifications are not private, neither for Android, GrapheneOS, nor iOS, even if you use end-to-end encryption. If you are privacy conscious, you should either use settings to hide sensitive data from push notifications or turn them off altogether.
If you turn off notification history on Android, should be enough to avoid such "attacks". Hiding sensitive content inside notifications only hides it in the lock screen. If your OS keeps a clear log of them, it's useless.
Notifications go through FireBase Cloud Messaging (FCM) on Android. They bounce off a Google server. Even from local, on-device apps.
Same with iOS.
They can read and store every one of them, and you don’t control the encryption keys.
But they only instruct Signal to wake up and download whatever is waiting. They don't contain the message contents.
Signal only sends a "new message, retrieve the rest from Signal" ping to your phone through Firebase. It doesn't contain message details, just that you have a new message.
That depends on your definition of private.
A push notification is pretty much just a ping that wakes up the app that is supposed to show you the notification. There usually isnt much data in that ping, so the only thing the Google firebase servers (or whatever other backend solution you use) see is a timestamp and an app. If you then disable Notification historie (default is off bzw on GraphenOS) there is no other data stored anywhere.
That's metadata that every single chat service has, no matter if its E2EE or not, because that's the bare minimum they need to transmit anything at all. If that already isn't private for you then you'd have to stop using the internet or phonecalls entirely and go back to carrier pidgeons.
What's the purpose of keeping a history of seen notifications in a database? That shit should be being automatically purged if it needs to exist to show it, after its been dismissed.
I wonder if this revelation will trigger a change in how it works, since apple has often tried to do things securely?
If you accidentally dismiss a notification, you can go back in the history to see it. Or if you dismiss a message notification that you want to respond to later. Or if a notification keeps popping up and disappearing and you want to investigate.
I just checked if there were any controls for this on Android. As far as I could tell, you can only toggle it on/off.
Off clears the history, but I wish we could do more than all or nothing. I don't need a history of more than a week at most.
I have it turned on. It only shows the last 24 hours.
Oh I honestly didnt understand there's a perpetual database you can go back and look at, I didnt even know i had one on android, I just turned that off.
I understood it as they need a database to hold the notifications you should be shown and it gets purged eventually kinda thing.
As a history it makes sense, and that its something that can leak.
Also if you leave it on, uninstalling an app should definitely purge its history.
Notification history is off by default in GrapheneOS....so that is nice.
two different things, it won't stop relay history
I really want to convert my pixel but I'm so damn lazy.
Mostly worried about losing TOTP apps and configurations. I really should be backing those up.
Aegis works perfectly. My university used Duo and then Okta, and both worked. I was unable to get Authy to work, though.
It is beyond easy, connect and press the button.
Just take note of your settings and apps to duplicate.
End-to-end encryption is the final boss of false-sense-of-security.
Like, it's great and all, but it's not universal perfect privacy the way a lot of people seem to hold it up as if it were. You have to understand what it's actually defending against, and who might be blocked by that, and more importantly, who won't be. Because the list of potential adversaries it is actually useful against are becoming narrower and increasingly out-of-date.
Encryption alone prevents the messages being read in transit between you and Signal, and obviously that's fundamental basic security at this point. Signal being end-to-end encrypted prevents your messages being spied on by Signal, but ironically they're probably one of the most trustworthy actors in this whole chain, so the fact that it's protected from them, while commendable, is not particularly valuable security. They were probably not the ones going to spy on you in the first place. They have prevented themselves from being capable of doing so, and that's good, but if that's all you're worried about and you now think your privacy problems are solved, you're completely missing the point because instead of Signal themselves, you need to be worried about the guy currently standing over your shoulder with his camera filming.
Treat your phone and your Windows computer like they are permanently compromised with a rootkit taking continuous screenshots of everything you do and feeding that to their big tech overlords, because they might as well be.
For that matter, even Linux PCs still have their black box "intel management engine" or similar processor running constantly and potentially watching everything you do, although I don't believe they actually do that in any reasonable case, we need to understand they have both the capability and the motivation to be, at least in some cases, compromised by adversaries which may include (but are not limited to) tech companies and governments. You can't even trust your "dumb monitor" unless you've audited every chip inside it, you'll never know if it could be scanning everything on your screen and feeding it back through HDMI/DP back-channels or even through powerline networking. You also don't know if the same kind of things could be happening on the other side that you're sending/receiving from. Sure the network trip is protected, but that's hardly the only place you're vulnerable to interception.
That probably all sounds paranoid and extreme and improbable, and it is, but the point is end-to-end encryption does nothing to help you against any of that, so don't make the mistake of assuming you're 100% safe because it's end-to-end encrypted. The "end" is not what you think it is and it's not paranoid to at least understand that and accept the risk with the understanding.
I realize I am probably preaching to the choir here, and most of you probably understand this as well as I do. But I'm also pretty sure a lot of people truly believe it's more secure against eavesdropping than it actually is and that needs to change. The surveillance state is adapting and expanding rapidly and I fear they've started getting ahead of many of us. Beware, and plan carefully in the months and years ahead.
End-to-end encryption is the one of the most basic requirements for a communication system to be secure. Endpoint authentication is another. Message authentication is the third. After those 3 are fulfilled, further requirements can vary from system to system.
It's like electrical or building code. Just because it's compliant doesn't mean it's safe, but if it's not compliant it's almost certainly not safe. Necessary, not sufficient!
Exactly!
Is your keyboard app secure (yes seriously)? Does you device store notification details? Can your notifications be viewed without unlocking the device?
Those are all little concerns that need to be considered.
I understand the intent, but this is not phrased well.
prevents your messages being spied on by Signal, but ironically they’re probably one of the most trustworthy actors in this whole chain, so the fact that it’s protected from them, while commendable, is not particularly valuable security
It's extremely valuable security, because most companies, even if they don't want to spy on you might be compelled to by court order. And those companies often think their security is sufficient because they have good intentions, and they expect the government to have good intentions when they're going as far as getting a court order. (I also suspect more court orders are justified than not, but a few bad subpoenas spoil the bunch.) The fact that they physically are unable is quite important.
All your points about how things around that can fail are valid.
That's a fair criticism and an important clarification, I agree.
iPhones save old notifications in a database? Why?
So it can relay notifications across devices like your Apple watch, macbook, iPad and iToilet
Android does this too (ETA: by default). There's a history. You can set Signal to not display message content in notifications.
Thannnnk you! My Signal notifications now vaguely say I have a new message and nothing more. Good catch
Is it like easy to get to? Could actually be useful for some stuff. Yes it's right under notifications, turns out mines been off though.
That's a interesting approach. It kind of backdoors a lot of private communication efforts. I can't even be sure, if disabling notifications for signal would avoid them from showing up in the database anyways
It should.
Signal has internal settings for exposing or not exposing the sender/content of messages to iOS notifications.
my signal notification history is a lot of "Locked message"
What if your notifications are turned off? Is anything stored in that circumstance?
You know, I'm starting to think that maybe the "drive bay full of thermite" guy way back in the day WASN'T crazy...
Clever. Not much you can do for this except not subscribe your app to the notifications API, or take extra steps to attempt to clear them, but I don't remember that being an option on iOS. Going to be an interesting fix.
On iOS, under Settings > Notifications > Notification Content
I'm assuming that changes what it actually displays, but is there confirmation that those data dont enter the notification system on the back end?
On Android the setting is within the Signal app, so I assume it won't leave the app and therefore won't enter the notification system.
Correct - the notification API from the server is literally just a ping to inform it there's something to fetch. The app itself fills the notification content. If you tell it to leave it blank there's nothing cached outside the application storage.
Apps *can* let the server fill the entire notification content without waking the app, but that's not how Signal works
Play Store version uses Google’s push/FCM but yeah even then it's just the generic ping data they get as I understand it. Some may not even want them to have timestamps, so there's solutions to that:
Can take it a step further grabbing the non-google APK on their website instead or using the hardened Signal fork named Molly. Both use a persistent WebSocket connection to Signal’s servers instead.
I imagine a similar exploit will work on Android devices, as well. Wouldn't have considered it, but it may be a good idea to figure out how to disable the content from appearing in the Android notifs, too.
This is for the client display only, and not the iOS API interface as I'm discussing. It's not very plainly laid out in the docs, but one would assume any queuing of content into the notification system would be stored or cached if not cleared. There doesn't seem to be a way to have a client of that system to clear it's own data once it's in there, just cancel last notification.
Thanks for taking the time to post a helpful instruction.
