In December 2023, Reuters, TechCrunch, 404 Media, and others reported on the surveillance of Apple and Google users through push notifications. We were involved in the original investigation by netzpolitik.org. These findings have been confused in various places with an older privacy issue. In this blog post, we want to examine the problem and address potential misconceptions.
What is all this about?
Push notifications are a mechanism through which applications can send and display notifications to users of smartphones. Such notifications can include receiving a new email or a message from a messaging app. The user interface of push notifications is well known to any smartphone user – the infrastructure that drives them in the background is, however, a complex mechanism and not without privacy issues.
Push notifications are delivered via Apple Push Notification service (APNs) on Apple devices, or via Google’s Firebase Cloud Messaging (FCM)or Huawei Mobile Services (HMS) on Android devices. To use these push notifications, applications must register a push token with the respective platform. The tokens are an identifier that references the installation of an application on a specific device. They are used as an identifier to route messaging from the internet to a device.
Push notifications come with two distinct privacy problems: