The Insecurity of "Push Notifications" and What to Do About It

 By now it has been widely circulated that the US government (and their 5 Eyes friends) has been secretly snooping on phone user's messaging in the form of Push Notifications. Not only are they snooping, but they applied a legal gag order to Apple and Google to prevent them from alerting you the customer of this fact.



What's that you say? You are using an end-to-end encrypted messenger such as Signal and therefore are safe from said intrusion? Not so fast...

While there are indeed some well designed and audited secure chat apps out there, that is only part of the story. Most, if not all, messaging applications employ Push notifications as a way to let you know that someone just reached out to you, even if you didn't happen to have the corresponding application open at the moment. This is, of course, very convenient for the end user, but the problem lies in how this is facilitated on the back end. Apple and Google both employ proprietary servers that intercept a message headed your way, read the metadata (unique ID, subject, timestamp, IP addresses, first line of msg, etc...) and then forward that to your device in the form of a "Push Notification". Their reason for this scheme being that you would otherwise have to keep all your messaging applications running full time to alert you to new messages, thereby draining your battery rather quickly. That is it in a nutshell, but what can be done about this? 

First: Get a more secure phone. Meaning, something like a late model Pixel running CalyxOS or GrapheneOS, which are replacement "Android based" systems built on the de-googled AOSP / Android Open Source Project. Sorry to break it to you, but there is no meaningful way to "harden" your off-the-shelf Apple iPhone or Google Android system.

Second: Once you have your more secure phone up and running, you may want to install your favorite chat apps from the F-Droid or Aurora store apps. Here are some suggestions (non-exhaustive):

For casual, friends & family chats with some added security (but a publicly known relationship):

- Signal (FOSS or Molly version)

- Wire

- Berty

- Trifa (Tox)


For more serious secure and private chats:

- Session

- Bchat

- Briar

- Cwtch

- SimpleX


Most of the above applications will have an option in their respective settings to use an alternative type of "Push", such as websockets to avoid the Apple/Google/GCM/Firebase push servers. You can also go into the system settings of CalyxOS/GrapheneOS and disable Push notifications system wide if  desired.


I do offer phones pre-built with CalyxOS or GrapheneOS as a base and an extensive security suite on my Store page. If you are technically inclined you may opt to just "roll your own" as there are many  guides for this online.





Comments

  1. AnonymousDecember 19, 2023 at 9:21 PM

    Why not just turn off notifications?

    ReplyDelete
    Replies
    1. AnonymousJanuary 20, 2024 at 6:27 PM

      That does not necessarily stop any given app from routing push metadata via GCM on the far end, thus causing a leak despite having notifications turned off on your handset.

      Delete

Post a Comment

Popular posts from this blog

Upcoming Courses Summer/Fall 2023 *Updated*

Image
 We are looking at doing the following courses: - GroundRod Level One                              Bozeman, Montana           August 19-20 - Gunfight Concepts - Pistol & Carbine    North Carolina                 September 15-17 - Hard Target Traveler                                North Carolina                  September  18 - GroundRod Level One & Two                North Carolina                  September 21-24 - GroundRod Level One                            Boise, ID  (Private)            September 30 - GroundRod Level Two                             Bozeman, Montana          October 28-29 - Tactical Night Operations                        Central Montana                November - GroundRod Level One                            Kalispel, Montana              November Exact dates will be updated shortly. Contact us at comstugrp@protonmail.com    for inquiries or to reserve a seat. 
Read more

Become More Dangerous...

Image
  New Years resolutions....I’ll be honest, I have never been a big proponent of them. I mean we have all seen the people around us make the same resolutions every year...with the same result...being that they fizzle out within a few weeks. But, if we are going to talk resolutions, might I offer this:   In 2023, become dangerous .   What do I mean by that? It should be abundantly clear to anyone paying attention at this point that our way of life in the West and in America in particular, is being deliberately and systematically destroyed. From “in your face” voting fraud to bio-engineered viruses to genocidal gene therapy shots to wide open borders to the fleecing of the public to fund engineered foreign conflicts to the governmental targeting of “traditional Americans” as “domestic terrorists” and I could go on and on. As the saying goes - The threat is real....and we are in danger.   For the sake of yourself, your family and your way of life - become more dangerous!   - Get into fight
Read more