this post was submitted on 16 Mar 2024
61 points (95.5% liked)

Android

27317 readers
215 users here now

DROID DOES

Welcome to the droidymcdroidface-iest, Lemmyest (Lemmiest), test, bestest, phoniest, pluckiest, snarkiest, and spiciest Android community on Lemmy (Do not respond)! Here you can participate in amazing discussions and events relating to all things Android.

The rules for posting and commenting, besides the rules defined here for lemmy.world, are as follows:

Rules

1. All posts must be relevant to Android devices/operating system.

2. Posts cannot be illegal or NSFW material.

3. No spam, self promotion, or upvote farming. Sources engaging in these behavior will be added to the Blacklist.

4. Non-whitelisted bots will be banned.

5. Engage respectfully: Harassment, flamebaiting, bad faith engagement, or agenda posting will result in your posts being removed. Excessive violations will result in temporary or permanent ban, depending on severity.

6. Memes are not allowed to be posts, but are allowed in the comments.

7. Posts from clickbait sources are heavily discouraged. Please de-clickbait titles if it needs to be submitted.

8. Submission statements of any length composed of your own thoughts inside the post text field are mandatory for any microblog posts, and are optional but recommended for article/image/video posts.

Community Resources:

We are Android girls*,

In our Lemmy.world.

The back is plastic,

It's fantastic.

*Well, not just girls: people of all gender identities are welcomed here.

Our Partner Communities:

!android@lemmy.ml

founded 1 year ago
MODERATORS
MargotRobbie@lemmy.world
Rooki@lemmy.world
Thekingoflorda@lemmy.world
L3s@lemmy.world
_MoveSwiftly@lemmy.world
61
Does Graphene OS maintain the privacy of notifications from being recorded by third parties? (lemmy.world)
submitted 5 months ago by MigratingtoLemmy@lemmy.world to c/android@lemmy.world
22 comments fedilink hide all child comments
 

I remember reading an article where the government and Google were able to read notifications and record them from every android device. I wonder if Graphene might have patched this problem, and if not, do they have any plans to do so?

Thanks!

all 27 comments
sorted by: hot top controversial new old
[–] dracs@programming.dev 31 points 5 months ago (3 children)

The issue lies with Google's FCM (Firebase Cloud Messaging) system, so it's not something GrapheneOS can really fix. As far as I know FCM doesn't offer a way to encrypt notification content. Some apps like Signal work around this by instead of sending the message content, they send a little "wake up" notification. This tells Signal on your phone to wake up and it goes and retrieves the new message.

If you don't install Google Play Services, you won't be impacted. But you'll also not get notifications for most applications. There is an alternative push notification system called UnifiedPush which allows you to choose any server to handle your notifications (and even self host it). But it does require both the service and the app to support it, so it's not very wide spread yet.

[–] Pantherina@feddit.de 10 points 5 months ago (3 children)

Lol, FCM sends the CONTENT of messages through Google?? Wtf why do we even have "E2EE" Whatsapp then?

[–] dracs@programming.dev 12 points 5 months ago

I've never worked directly with FCM, but that's my understanding of the issue. I don't know about WhatsApp. But it may do the same thing as Signal where the notification is just a wake up call and then the app connects directly to the WhatsApp servers to get the actual message.

[–] GustavoFring@lemmy.world 6 points 5 months ago

They are encrypted in transit but not E2EE unless the developer handles that themselves.

[–] d3Xt3r@lemmy.nz 6 points 5 months ago* (last edited 5 months ago)

Firebase is a platform/service provided by Google, so it makes sense that the content goes thru Google's servers.

Also, E2EE in a closed-source app like WhatsApp, run by a nefarious corporation like Meta, was always a joke concept, a marketing ploy at best. People who are truly concerned about their privacy would never touch WhatsApp.

[–] algorithmae@lemmy.sdf.org 2 points 5 months ago (1 children)

Why do we need a server to handle notifications anyway? Why isn't it local to the device?

[–] dracs@programming.dev 5 points 5 months ago

It's mostly a power efficiency thing. Before push notifications were the norm, most apps used a polling method. They had the application send a request every X seconds asking "anything new". There wasn't coordination between apps, so even every app checked once every 30s, it likely wouldn't be on the same 30s. This caused the device to wake up a lot and never let it switch into low power mode.

A push notifications system like FCM or UnifiedPush means only a single application needs to run in the background. It maintains a persistent connection to the push notification service and waits for a message. When it receives one it wakes up the relevant app and passes it the details.

[–] MigratingtoLemmy@lemmy.world 1 points 5 months ago (1 children)

If I were to install MicroG in a different profile would the rest of my push notifications be compromised too?

[–] bin_bash@lemmy.world 5 points 5 months ago (1 children)

I don't recall any article like you said; can you provide me with a link?

Also, reading notifications is only possible if the notifications are not encrypted; otherwise, it is not possible.

And this relies on the service that is sending the notification and has nothing to do with the OS you are using.

[–] MigratingtoLemmy@lemmy.world 1 points 5 months ago (1 children)
[–] bin_bash@lemmy.world 2 points 5 months ago (1 children)

Hi,

This has nothing to do with reading notifications but getting an approximate location based on notifications.

Like I said, if the notifications are sent encrypted, there is no way to read them.

Regarding tracking locations based on push messages, the only way to avoid it is by carefully selecting which apps are allowed to send you notifications.

Again, it does not matter what operating system you are using.

[–] misanthropy@lemm.ee 1 points 5 months ago (1 children)

Notifications using fcm are not encrypted, I can literally go into my firebase console ant see this is the case

[–] evo@sh.itjust.works 1 points 5 months ago (1 children)

There is nothing stopping you from encrypting the payload instead of sending plain text.