• JASN_DE@feddit.de
    link
    fedilink
    English
    arrow-up
    9
    ·
    11 months ago

    That depends a lot on what you’re hosting resp. if the mobile apps are using Google’s/Apple’s messaging/notification services.

    • whofearsthenight@lemm.ee
      link
      fedilink
      English
      arrow-up
      11
      ·
      11 months ago

      Sort of. If you’re receiving a notification from a remote server on iOS or standard android, they go through Apple or googles servers. That said, some apps rather than sending your device the actual notification (where this vulnerability comes from) will instead send a type of invisible notification that basically tells the app to check for a new message or whatever and then will display a local notification so the actual message stays on device and inside of the hosting services servers (like a self host.)

      • towerful@programming.dev
        link
        fedilink
        English
        arrow-up
        6
        ·
        edit-2
        11 months ago

        That said, some apps rather than sending your device the actual notification

        Pretty sure that is actually the recommendation from apple/google, as it reduces bandwidth for their notification servers.
        I think the message payload is severely limited.
        Like, pre-ios8 the limit was 256 bytes. Now it’s 2kb.

        https://stackoverflow.com/a/6316022

        • whofearsthenight@lemm.ee
          link
          fedilink
          English
          arrow-up
          3
          ·
          11 months ago

          I didn’t know that. Hmm, sounds like it’s decently likely this is a bit overblown then. I mean, I suppose there are a lot of lazy companies out there that will skip this, but that severely limits the functionality in a way that it’s going to force the secure method.

          • towerful@programming.dev
            link
            fedilink
            English
            arrow-up
            5
            ·
            edit-2
            11 months ago

            It opens users to timing attacks.
            If there are 10000 notifications per second. And across 100 incidents user A does something to cause a notification and user B receives a notification within network latency time periods, it is likely user A is talking to user B.
            Whilst that seems like arbitrarily useless data, having this at the giga/peta scale that the US government is processing it, you can quickly build a map of users “talking” to users.
            Now, this requires the help of other parties. You need to know that user A is using WhatsApp at the time. And yeh, you don’t know what the message is, but you know that they are hitting WhatsApps servers. And you know that within 5 minutes of User B receiving a notification, they are also then contacting WhatsApp servers.
            So now you know that user A is likely talking to user B via WhatsApp.
            And also user G, I X and M are also involved in this conversation.
            And you bust user G on some random charge. And suddenly warrants are issued for more detailed examination of users A, B, I, X and M.
            Maybe they have nothing to hide and are just old college friends. Or maybe they are a drug ring, or whatever.

            It’s all the “I have nothing to hide”, phones being tied to a person, privacy and all that.
            We can’t really comprehend the data warehouse/lake/ocean level of scale required to realise what all the little pieces of meta data and tracking information being able to add up to “User A is actually this person right here right now and they bought a latte at Starbucks and got 5 loyalty points” level of tracking.

            Is it likely this bad?
            Probably.
            Theres the “Target knows I’m pregnant before told anyone” story.
            https://www.forbes.com/sites/kashmirhill/2012/02/16/how-target-figured-out-a-teen-girl-was-pregnant-before-her-father-did/

            That’s over a decade ago. It’s not let off. And you can bet that governments are operating at a level a few years beyond private industry.

            So yeh, every bit of metadata counts

        • KairuByte@lemmy.dbzer0.com
          link
          fedilink
          English
          arrow-up
          1
          ·
          11 months ago

          Honestly, they likely also suggest this in an attempt at privacy. For all their other faults, Apple has always championed security and privacy.

  • plague-sapiens@lemmy.world
    cake
    link
    fedilink
    English
    arrow-up
    8
    arrow-down
    3
    ·
    edit-2
    11 months ago

    That’s why everyone should use GrapheneOS. Sandboxed GooglePlay services can be used, if needed. I personally use 3 proprietary apps, one of them is WhatsApp Business (self-employed and for stupid dipshits that won’t use anything else…), which is more privacy-friendly than the personal client itself. Join the resistance! Use GrapheneOS :)

    Good read about push notifications on GOS: https://discuss.grapheneos.org/d/9407-this-is-why-i-use-grapheneos

    • 𝕽𝖔𝖔𝖙𝖎𝖊𝖘𝖙@lemmy.world
      link
      fedilink
      English
      arrow-up
      10
      ·
      11 months ago

      Sandboxed GooglePlay services can be used, if needed.

      I don’t see how that would prevent this at all.

      What is being discussed here is governments compromising the push notification service on Apple’s servers (and presumably Google’s as well)

      Sandboxing Google services on your phone does nothing to change the fact that virtually all apps that receive messages/notifications are going to be using the push notification APIs that are compromised.

      Whether or not private data is sent in those pushes and whether or not they are encrypted is up to the app developers.

      It’s common for push messages to simply be used as a triggering mechanism to tell the device to download the message securely so much of what is compromised in those cases will simply be done metadata or even just “a new message is available”

      But even so, that information could be used to link your device to data they acquired using other methods based on the timing of the push and subsequent download or “pull”

      The problem is that if you go ahead and disable push notifications/only use apps that allow you to, you are going to have abysmal battery life and an increase in data use because your phone will have to constantly ping cloud servers asking if new messages/notifications are available.

        • 𝕽𝖔𝖔𝖙𝖎𝖊𝖘𝖙@lemmy.world
          link
          fedilink
          English
          arrow-up
          1
          ·
          edit-2
          11 months ago

          That’s cool, but also doesn’t sound all that useful.

          A fairly significant number of apps depends on Firebase and the like and don’t even have the option to pull notifications otherwise. And virtually every app at least use them.

          When’s the last time you’ve seen a chat app that didn’t require push notifications to function? Even Signal uses them. (Though they do so in a way that doesn’t expose any private data)

          You just can’t disable push without severely crippling the experience.

          Further I’m not even sure disabling them on-device will change anything at all about governments being able to surveil them server-side. Afaik you are only stopping your phone from receiving them, they would still be sent to the Firebase server from the app’s cloud servers.

          I don’t think this issue is avoidable other than app developers not using (or using in a secure manner) Firebase or GCM (or ACM) etc

          • uzay@infosec.pub
            link
            fedilink
            English
            arrow-up
            2
            ·
            11 months ago

            Signal notifications work fine without GCM, and even Whatsapp does to an extent

            • 𝕽𝖔𝖔𝖙𝖎𝖊𝖘𝖙@lemmy.world
              link
              fedilink
              English
              arrow-up
              1
              ·
              edit-2
              11 months ago

              That’s true, signal is pretty good about that.

              I wasn’t saying Signal required them necessarily, just that even it uses them. But now reading back through my comment I can see how that could be easily misinterpreted. My bad

        • 𝕽𝖔𝖔𝖙𝖎𝖊𝖘𝖙@lemmy.world
          link
          fedilink
          English
          arrow-up
          1
          ·
          11 months ago

          I think unless they use netfy or a similar alternative then yes.

          The vast majority of apps will be using GCM or FCM for notifications.

          Now whether or not those push messages are encrypted/don’t contain private data is up to the app developer so how much is exposed can certainly vary.

          • MigratingtoLemmy@lemmy.world
            link
            fedilink
            English
            arrow-up
            1
            ·
            edit-2
            11 months ago

            I get it. Indeed, it’s obvious now that even these apps would need to use Google’s API I stand corrected. Nope, apps from F-droid usually do not use GCM.

            I hadn’t heard of netfy before this, I’ll have to take a look. I’m assuming that’s an alternative FOSS framework for notifications? Can it be used as a drop-in replacement for most applications?

            • 𝕽𝖔𝖔𝖙𝖎𝖊𝖘𝖙@lemmy.world
              link
              fedilink
              English
              arrow-up
              2
              ·
              11 months ago

              You’re right, for some reason I thought Firebase was allowed.

              Yeah netfy is a FOSS notification service.

              As to drop-in replacements, I don’t think such a thing really exists on the user side, this is fully up to the app developer in how they want to implement notifications.

              To use netfy instead of FCM your app would need to be designed to do so or support it as an alternative option.

    • navi@lemmy.tespia.org
      link
      fedilink
      English
      arrow-up
      7
      ·
      11 months ago

      How does it handle push notifications? If they come from googles push service then they’d be exploitable as well.

    • Possibly linux@lemmy.zip
      link
      fedilink
      English
      arrow-up
      5
      ·
      11 months ago

      What we need is more open hardware. Current phones are privacy issues because they are black boxes. Even if a libre device has bad security it always can be improved.

      I use Lineage os on my phone with only free apps.

      • plague-sapiens@lemmy.world
        cake
        link
        fedilink
        English
        arrow-up
        3
        ·
        11 months ago

        More open source hardware would be epic, but imo this trend will take years to grow if it even will succeed. Most people just don’t care about their privacy at all and with hw and sw being open, there’s less money to be earned because of easier plagiarism.

        • steveman_ha@lemmy.world
          link
          fedilink
          English
          arrow-up
          2
          ·
          edit-2
          11 months ago

          Thats weird, it almost feels like a misalignment between our general needs for computing resource development, and the incentive structures produced by using capitalist economic markets to distribute even basic goods for survival…

    • Ashyr@sh.itjust.works
      link
      fedilink
      English
      arrow-up
      1
      ·
      11 months ago

      How do you sandbox Google apps? Is it possible to do that with Google docs? I’ve been replacing everything else, but Google docs is difficult to replace.

      • plague-sapiens@lemmy.world
        cake
        link
        fedilink
        English
        arrow-up
        2
        ·
        11 months ago

        Every app is sandboxed by default and has no permissions, which you can give them. Like StorageScope for accessing only certain files.

  • HiddenRetro@lemmy.world
    link
    fedilink
    English
    arrow-up
    3
    ·
    11 months ago

    I’m curious how things like gotify stand up to this. Since it’s a notification server does it still rely on Google and it’s notification servers?

    • LufyCZ@lemmy.world
      link
      fedilink
      English
      arrow-up
      1
      ·
      11 months ago

      Notify (hope I remmeber the name right) has an option for both push notifications (with the usage of Google services) and polling based notifications (fully self-hosted)