Sandboxed Google Play for push notifications breaks privacy?

I was curious about how Signal deals with this and read from a Signal developer that their notifications via Google don't include any sensitive info. Their notifications simply trigger the Signal app to wake up and check the Signal server for new messages.

IDK how ProtonMail does it, but I'd expect they do something similar.

unwat Plus there is the added fact that (a) even if they don't know the contents of the message, google knows the two endpoints and the fact that there was a message, (b) the existence of the connection between you and google lets them track you across IP addresses and may provide more data which is accessible to their software running on your phone, which yes, is restrained to some degree.

abcZ
I'd hope not. If so, that's a huge problem. I, personally, don't know what is contained in notifications from signal. The dev I read wrote that it's a simple "hey update" kind of thing.

I read this as a 2nd hand claim. Maybe it's better to find real proof either way. Theoretically, a loaded notification with metadata is possible, so is a notification to trigger a "phone home" from the Signal server.

unwat I'd hope not. If so, that's a huge problem. I, personally, don't know what is contained in notifications from signal. The dev I read wrote that it's a simple "hey update" kind of thing.

There's nothing to "hope". One endpoint (destination) is your phone. The other is SIGNAL'S SERVER (source).

I read this as a 2nd hand claim. Maybe it's better to find real proof either way. Theoretically, a loaded notification with metadata is possible, so is a notification to trigger a "phone home" from the Signal server.

No its not a "second hand claim". Its an unavoidable fact of how networks work.

Sorry, I must have misunderstood part of what you said. I thought you meant by endpoints you meant phone to phone, not phone to server, so that's my bad. It's obvious that Google knows a phone is receiving Signal notifications.

The other part of what I said, the 2nd hand claim, wasn't about networks at all. It was about what is included in the notification visible to Google. The 2nd hand claim was that nothing sensitive is included in the notification visible to Google.

Anyway, since 2nd hand claims I read on Reddit aren't that authoritative, I went through the trouble of looking through the Signal server's code and I read up a bit on FCM messaging. Their FcmSender just takes a device id, data, notification type, and a notification priority. Elsewhere in the code, in their PushNotificationManger, when a push notification is built for a Signal message, the data is set to null. So, it's verified. Signal push notifications don't include any sensitive information.

abcZ

Use "Fairemail" (preferred) or "K9Mail" instead of proton mail.

How did you get protonmail working with fairemail? I just tried and got an error message saying protonmail isn't supported. Everything I've seen posted online has said protonmail doesn't work with third party email clients. Would love to get it working if its possible.

Boffs I said instead of. Pick a better email service provider, best choice is to host your own.

abcZ best choice is to host your own

I'd say that would be the worst choice

f13a-6c3a You would definitely have to substantiate that, because its completely off.

abcZ
You listed two email clients as a replacement for an email service provider. Not helpful.

abcZ You would definitely have to substantiate that

uptime, tech knowledge, security management, hardware management, mail server management, records (DNS, MX, SPF, spam, etc.) management, service cost, just to name a few - but you already knew that :)

abcZ because its completely off

you would definitely have to substantiate that - ohh, wait....

Boffs Its not my fault or problem if some people pick an email client that ties them to a specific provider.

f13a-6c3a You've failed to support your position entirely.