Apple reveals 'push notification spying' by foreign governments


This answered a question I had:

"What can push data reveal?

The first important point to make is that, if you are using end-to-end encrypted messaging services like iMessage and WhatsApp, that encryption still protects the messages – even if you’ve set your iPhone to preview the content."


That’s good to know. Is it any different for iMessage texts synced to iCloud? They’re not encrypted in the cloud, so are they encrypted when they hit Apple’s Push Notification Service…?

Also curious if Apple will change anything about how push notifications are processed going forward. I don’t think most people considered this as a potential security vulnerability.

They are encrypted both in the cloud and within APNS yes.


Apple has a decryption key for iCloud backups (which can include iMessage), no?

Apple having a key is very different from the data not being encrypted. Further, the link you shared specifies that one can enable Advanced Data Protection to become the sole key bearer for iCloud backups.


We need something like but as first-party citizen of all OSes, mobile and desktop (though not that important for desktop, I see no reason why not make it an option).

Let people use Apple or Google Push Service if they want. But let them choose another provider, or self-hosting etc. Centralization for push notifications obviously gives some benefits when it comes to energy usage, but it doesnt have to mean we all need to rely on the same two centralized systems.


This isn’t exactly an unknown thing by developers. There’s a reason why Signal doesn’t put the message in the sendNewMessageNotification. With Matrix it’s optional (for rooms that are not encrypted) as someone self hosting might also have their own Unified Push server that they trust.


I am surprised that everyone seems surprised about this. This stuff we have known for a while now. Metadata is a thing, and the feds do force the tech industry to share it. Nothing new to see here imho.


The news is the gag order, not the surveillance.


Yeah but that’s nothing new either or is it? I am failing to see this as of yet. All of these programs were/are secret.


Let’s say you use an app where the message contents are encrypted on the push server. For example, Signals ability to disable the message contents. (I know their implementation is different this is just an example.) This means that the contents are inaccessible, but the foreign party still has the encrypted form of the message.

If you set the app to “Name only” vs “Name and contents” does that mean the push notification would only contain the encrypted information of the name and not the message contents as well? In this case, the user intending to remove the encrypted form of the message entirely as it is possible for the encrypted message to be compromised at some point in the future.

It should. It depends on how the app implemented push notifications on their server end.


One more reason to use F-Droid.

You need proprietary Google Play Services on your phone for notifications to work, apps need to have proprietary Google code in them for this to work, and this is a proprietary service.

You’re purely depending on Google and their proprietary services for basic things such as receiving notifications, which is pure madness. They also probably see from what apps you’re receiving notifications and when you receive them.

Good luck receiving notifications with this without FCM: Release Element Android v1.6.5 · vector-im/element-android · GitHub

There are quite some apps that only provide alternatives to FCM, Google Apps, etc in their F-Droid build.

Also, this is why FCM and APNS are an issue even if the contents are encrypted:


How Signal handles push notifications:


Thank you for sharing! I was wondering about this.

1 Like

Apple is not alone with the spying on push either, Google does the same.

Notably, IMO, is Google came out and said they always required a court order where Apple was not. Considering Apple’s big talk on privacy it’s a pretty huge miss they were not requiring a court order to begin with.


So true! However, did Google statement hold true about the court order before or after what ever it had gleam from users. These companies talk the talk, but what do they do ? Well, that’s anybody guess.

1 Like

Google spokesman Matt Bryant said the company has always “required a court order” to compel disclosure of data associated with push notifications.

Regardless of the truthfulness: Apple did not require a court order and IMO, they should have.

1 Like