FCM PUSH telemetry while logged out of google.

Tandara

Greetings!
I recently decided to install play services for some apps requiring it without using Google account.
I have read that agencies can ask an app provider for the push token or smth, making it possible to find connections to the other apps using it. Is it the same when I'm logged out?

other8026

Tandara If my understanding of how all this works is correct, it doesn't matter whether you're logged into a Google account or not because it still works the same either way. An app will register itself using the FCM library, get a token of some sort, and share it with the app's server. Looking through https://firebase.google.com/docs/cloud-messaging/, it appears tokens are unique per app instance, not one token per device.

Tandara

To clarify, when I'm logged out of google account

Tandara

Thank you for the reply! So it means the fcm token provided by an app won't compromise you in any way if you don't use g account?

de0u

Tandara So it means the fcm token provided by an app won't compromise you in any way if you don't use g account?

I don't see how it would be possible to make such a sweeping assurance. If the app hypothetically posted the FCM token and everything it knew about you on Instagram, that might well be comprising.

other8026

Tandara I'm afraid I don't follow... I also don't think I know enough about how all this works to give a definitive answer.

We know notifications work whether an account is logged in or not. It's possible Google has two different workflows, one for devices with logged in accounts and another for devices without logged in accounts, or the way it's done avoids being tied to accounts altogether and works the same either way. I'd guess it's the second one since it's the easiest.

Regardless of how everything is done on-device and on Google's servers, it doesn't matter much. It would make sense that Google would be able to figure out all of the tokens used by one device, whether there's a randomly generated device identifier that Google knows, or by IP addresses, etc.

Keep in mind that notifications can be empty, or app developers can encrypt notification data. For example, Signal notifications are empty and all they do is wake up the app so it can fetch data from Signal's servers and display the notification. Unfortunately, it's also possible for notifications to have data in plain text. It all depends on how the app and its servers are programmed.

Not sure what your goals are here, but using profiles might be helpful?

Tandara

Thank you for the reply! So it means the fcm token provided by an app won't compromise you in any way if you don't use g account?