upvote

points

by asteroidburger17 hours ago |
comments
upvoteby Zak16 hours ago|
next
[-]
That framing Makes it sound like the app developer has to do something active to keep message cleartext out of notifications. That's not how it is on Android.

A Firebase Cloud Messaging push notification contains what the app developer's server puts in it. That could include the message body or it could just be an instruction to the app to poll the server for new messages. It has nothing to do with the notification that's displayd on an Android device. Those are entirely local.

An app that cares about privacy wouldn't send anything more than a poll instruction over FCM.

reply
upvoteby avianlyric14 hours ago|
parent|
next
[-]
You can implement either approach on iOS as well.

But if you have strong end-to-end encryption for messages, then you don’t have to care about the transport anymore, you assume they’re all compromised. At that point you might as well use the push notification system as your transport, given both OSs allow applications to intercept the push notification locally and decrypt it before it’s displayed to the user.

reply
upvoteby asteroidburger9 hours ago|
parent|
[-]
Plus, decrypting using a key stored locally cuts out a network roundtrip, which has battery and data usage impacts.
reply
upvoteby saagarjha16 hours ago|
parent|
prev|
[-]
This has performance/reliability tradeoffs.
reply
upvoteby ls61216 hours ago|
prev|
[-]
In fact this is what both iMessage and Signal (and maybe Whatsapp too but I can’t tell from a quick google) do.
reply