• Off Topic
  • Governments obtaining push notification metadata from Apple/Google

https://arstechnica.com/tech-policy/2023/12/apple-admits-to-secretly-giving-governments-push-notification-data/

No Google Play Services, No Firebase push notifications, No problem!!

"Data transmitted to Google and Apple includes metadata "detailing which app received a notification and when, as well as the phone and associated Apple or Google account to which that notification was intended to be delivered," Wyden wrote. Sometimes data shared may include "unencrypted content, which could range from backend directives for the app to the actual text displayed to a user in an app notification," Wyden warned."

Was just going to post the same, even though most if not everyone here knows this.

Was about to post this, but you beat me to it!

I bet Microsoft does the same. Basically, any major OS maker with its own ecosystem is a government target. I think Linux is an exception.

    Am I correct in saying, just because you don't run Play Services doesn't mean the apps you are using aren't still pinging Google's services to attempt to push a notification?

    I assume to circumvent the only way to avoid is to only install apps that do not use Firebase notifications (regardless of installing play services)

      OpenSource-Ghost

      Basically, any major OS maker with its own ecosystem is a government target.

      Using a niche OS doesn't protect you from this. See the many examples of people who were targeted because they used a niche product such as Encrochat where governments can get away with much more extreme actions without the same pushback.

      I think Linux is an exception.

      Linux is a kernel, not an operating system. Android distributions are Linux distributions.

      Graphene1 That's incorrect, Google's FCM library doesn't function without Play services. Apps would need to use the API on their own without Google's library, but you're only referring to the ones using the library.

      Apps with end-to-end encryption either use end-to-end encryption for their push notifications or don't send data through them. Signal only uses push notifications to wake the app when it's in the background and then it has to fetch the data from their server. It uses push from their own server when in the foreground even when using Play services. Without Play services, it just uses their own push at all times, although it's not optimized very well.

        OpenSource-Ghost Absolutely they do. Anything these big corpos can do to get data, they will do it. Its best just to assume they can track and intercept everything, and adjust your security posture from there.

          GrapheneOS Apart from disabling network permission of google play, is there any solutions to disable FCM? (I need play services

            What is mindblowing is the mental gymnastics big tech does on this one.
            "Oh we are sorry but gov didn't allow us to share this blabla"
            Just don't collect push notifications and delete them from your servers after delivered and regularly rotate those push-ids and you have little to nothing to share with leo.
            This again shows that they just don't care

              FlyingRacoon The data does have to be kept while it's in the process of being delivered but can be deleted afterwards. They could demand future data rather than only past data so it can be obtained going forward. End-to-end encryption can resolve this for the content sent through it and there's no reason automatic, seamless end-to-end encryption cannot be implemented inside of newer client and server libraries for FCM. In fact, a third party could write a wrapper around the FCM libraries implementing near fully automatic E2EE. The client just needs to provide a public key to the server alongside the FCM registration ID, and then regularly rotate it.

              Upstate1618 Apps choose which of the data they have available local should be sent to their own services or other services. They choose how they protect that data. As an example, Signal doesn't send any data through FCM but rather only uses it to wake itself. Any other E2EE messaging apps do the same thing or send the data through FCM end-to-end encrypted. They don't have the non-E2EE data so they cannot send it through FCM. They can E2EE the whole FCM message to avoid giving more metadata to it than the time, destination and size of the message. The only reason to send data through it is avoiding a connection to their own server to display the notifications after waking to handle notifications being ready. Any app can use it to trigger a connection to their own server like Signal with empty content if they choose.

              FCM exists to push data from the app's servers to their app on your device. Their servers must have the data to send it to it to you in the first place. The data being on their server makes it available to be obtained via lawful requests as is happening with FCM here. They can serve the warrants to the app's servers too, not only Google for FCM. It's easier for them to not need to deal with smaller companies but they can certainly do it for any large messaging app. This is something solved by E2EE, not avoiding a specific service because it complies with warrants requesting data.

              Requesting data via warrants doesn't apply specifically to FCM. Google is requiring a warrant, so they're requiring more than Apple and it wouldn't be legal for them to outright refuse all the requests. If what you've taken away from the story is that you should avoid FCM, then you've largely missed the point. This applies to all data stored on servers under the jurisdiction of a country. It applies to all Apple and Google services, and all alternatives to those services. An alternate push messaging system can have the same requests made of them. If they use end-to-end encryption or don't support messages with content, then they can avoid content being obtained but they still have tons of metadata passing through. They could avoid recording metadata, but they are capable of recording it if a court requires that they do it.

                GrapheneOS changed the title to Governments obtaining push notification metadata from Apple/Google .
                4 days later

                GrapheneOS I find your explanation extremely helpful, thank you! One question: do you know if the push notifications for Proton Mail and Tuta Mail are E2EE?

                  xYz do you know if the push notifications for Proton Mail

                  This was brought up in Proton's AMA 5 days ago to which their CTO, Bart Butler answered:

                  we anticipated this years ago, which is why we end-to-end encrypt all push notifications between our servers and users' devices. That said, we will continue to use Apple and Google push notifications when the services are available on the device because unfortunately they are favored heavily by the operating system in terms of performance and battery life. We are also developing an alternative push notification framework to support web, desktop, and de-Googled devices.

                  As for Tuta Mail....

                  and Tuta Mail are E2EE?

                  They published this on their blog back in 2020 and updated it 5 days ago too.

                  Tuta was already aware of this potential risk years ago and in 2017 we entirely replaced Google's notification services with our own push notification service. If you are using Tuta on Android, no push notification data is shared with Google. Your privacy is safe with us.

                    a month later

                    This is a concern only with Play Services right ? Asking caz microg also tries to connect to their servers via Cloud Messaging (unless not enabled).

                      foxjaw Why would this be a concern and what MicroG is?

                        cro78 Many users think microg is safer alternative to Official Play Services. But I'm sure I've read somewhere that it's no different when you still login into your Google account with it, utilise their GCM as well as proprietary droidguard for SafetyNet/PlayIntegrity. You're just minimizing the data footprint, but not entirely. Caz you're still contacting the servers.

                        As it is open source, if can someone (who read the code) explain how GCM in microg works? Or is it just a blackbox with a toggle ?

                          foxjaw It's the same thing with microG but you should read the info in our responses above.

                          foxjaw The FCM library used by the app and the server are the same closed source code with microG. microG itself has major privacy and security issues and you're still using a Google service with the same proprietary libraries and server. It's a misconception that apps cannot simply use Google services themselves directly and many of the libraries do that.