Are there any privacy concerns by enabling notifications?
Notifications
Hey there! If you're talking about the "Notifications" permission, then no. That should be fine. It only controls whether you see notifications for a particular app or not.
matchboxbananasynergy added the Solved tag .
matchboxbananasynergy What about enhanced notifications? When enabling it in settings it says:
"Enhanced notifications can access notification content, including personal information like contact names and messages. This feature can also dismiss or respond to notifications, such asanswering phone calls, and control Do Not Disturb"
Which company collects this information and should this be turned off for privacy?
Ghj456 Can you provide me with an example of an app that's requesting that so that I can take a closer look?
matchboxbananasynergy Go to settings on your GOS phone, then go to notifications and scroll all the way down. It is the last one called "enhanced notifications". Enable enhanced notifications, the message will pop up.
I'm not matchboxbananasynergy, but maybe I can help them out...
Short answer: it doesn't matter. Notifications are coded the same way whether enhanced notifications are enabled or not. This also means notifications are handled exactly the same way with FCM push notifications, so Google doesn't get to see anything new with enhanced notifications (if you have Google Play Services installed, of course).
The only real difference is how they're displayed or how you can interact with the notifications.
Perhaps a naive question, but are the notifications encrypted (enhanced or not) to prevent google from reading them?
I think I read iOS encrypts their notifications.
According to this, no. Notification data is stored in cleartext on FCM servers by default, but data can be encrypted with a 3rd party library.
The data field in a push notification is optional, so no big deal if things aren't encrypted if no data is added.
Signal, for example, just makes a new notification with an FCM ID, a notification type, and the notification's priority. The data field is empty for messages. When a notification comes in, the app launches in the background, pulls down new messages, then the app displays the notifications itself. All Google can see is the user received a Signal notification.
I don't know how other apps do it. I wouldn't be surprised if many apps that use push notifications store data in cleartext for their own convenience.
a year later
- Edited
"Enhanced notifications" feature toggling :
unwat Short answer: it doesn't matter.
unwat Signal, for example, just makes a new notification with an FCM ID, a notification type, and the notification's priority. The data field is empty for messages. When a notification comes in, the app launches in the background, pulls down new messages, then the app displays the notifications itself. All Google can see is the user received a Signal notification.
Thank you very much for the in-depth explanations + links !
From these links, I found :
Developers already use HTTPS to communicate with Firebase Cloud Messaging (FCM). The channel between FCM server endpoint and the device is encrypted with SSL over TCP. However, messages are not encrypted end-to-end (E2E) between the developer server and the user device unless developers take special measures.
https://android-developers.googleblog.com/2018/06/project-capillary-end-to-end-encryption.html
So I guess Signal devs are smart enough to never display the message content within the notification ? (Idk I never used this app yet, please confirm it to me), but I've seen a lot over shoulders that apps like the facebook ones display the message content, be it as an app-at-rest notification pop-up, or as an in-app data pop-up ( https://firebase.google.com/docs/cloud-messaging/concept-options#encryption_for_data_messages ).
TL;DR So since the ever evolving "IA" part, regarding what answer suggest to what, runs on g2o servers I guess, I think it does matter to untoggle notification enhancements, on profiles running play services. Let me know if I got it wrong please
However now my trust issue is, what if someone uses a messaging app available on the playstore, but sideloaded from elsewhere than from the playstore, within a profile lacking the play services. Sure the user device won't receive the push notifications, but the devs servers will send the push notifications to the FCM servers anyway, to be decrypted in here anyway, before not encrypting it back + sending it to the end user as they don't run play services, right?
So for FCM servers not to see any part of the messages, one has to use apps that don't rely at all on FCM notifications = apps not present on the playstore ?
graphenediscoverer4 So I guess Signal devs are smart enough to never display the message content within the notification ?
Theres a difference between the push notifications that Signal sends to a user profile with Play installed via Googles push service and the notification that shows on your device screen.
Signal does not send the message via Google. They just send a "ping" which wakes the Signal app on your device and gets it to connect directly to Signals servers to check for messages. If appropriate the Signal app will then display a notification on your device.
Damn thank you very much, so from their docs, HTTP v1 API means FCM servers, and FCM server protocols mean FCM syntax to be sent to devs servers directly