I remember reading an article where the government and Google were able to read notifications and record them from every android device. I wonder if Graphene might have patched this problem, and if not, do they have any plans to do so?

Thanks!

  • MigratingtoLemmy@lemmy.worldOP
    link
    fedilink
    English
    arrow-up
    0
    ·
    8 months ago

    Essentially, the apps which don’t use Google FCM service are not affected (from what I understand?). I assume that there isn’t a problem on the client-side and this exploit works purely because Google stores these notifications.

    • dracs@programming.dev
      link
      fedilink
      English
      arrow-up
      0
      ·
      8 months ago

      Anything using FCM will be effected. UnifiedPush which I mentioned I don’t believe has an option to encrypt notification content either. Using it you’d already at least have the option of using a provider with a better privacy policy or self hosting it.

      • evo@sh.itjust.works
        link
        fedilink
        English
        arrow-up
        0
        ·
        edit-2
        8 months ago

        I don’t believe has an option to encrypt notification content either.

        This is not an option you would actually want from any service.

        You don’t want to be giving the plain text message to anyone to encrypt. Instead the notification contents should be given to the service provider (FCM or anyone else) already encrypted and only able to be decrypted by the app.

    • Skull giver@popplesburger.hilciferous.nl
      link
      fedilink
      English
      arrow-up
      0
      ·
      8 months ago

      I believe apps working without FCM should be fine, or at least require more effort for third parties like law enforcement to intercept. There’s nothing preventing the NSA from listening in on the notifications of alternatives either, of course. Ideally, all notification services have their notification encrypted end-to-end. If app developers do that, FCM should be fine.

      • MigratingtoLemmy@lemmy.worldOP
        link
        fedilink
        English
        arrow-up
        0
        ·
        8 months ago

        Would you happen to know what WhatsApp and Signal use? I believe FOSS apps from F-droid do not use Google’s notification service

        • Skull giver@popplesburger.hilciferous.nl
          link
          fedilink
          English
          arrow-up
          0
          ·
          edit-2
          8 months ago

          Both default to FCM as far as I know. WhatsApp has a fallback notification system, but I don’t think Signal does.

          Edir: correction: Signal does seem to work without FCM, but if you set it up and then nuke FCM, Signal will show a near permanent notification indicating that Signal needs Google Play services because of a bug.

          FOSS apps sometimes use FCM, though that should be labeled in the app details as an anti feature, I believe. It’s very hard (almost impossible) to write power efficient notifications without centralising the notification flow.

          There are semi-standards, like Unified Push, that can help, and UP can even use FCM as a backend if you so wish, but I don’t think many apps use it at the moment.

          • MigratingtoLemmy@lemmy.worldOP
            link
            fedilink
            English
            arrow-up
            0
            ·
            8 months ago

            Thanks, I’ll go read some more. I’m trying to move away from WhatsApp and wanted to run Signal in my main profile on Graphene. I hope I can use it without FCM there.

            • dracs@programming.dev
              link
              fedilink
              English
              arrow-up
              0
              ·
              8 months ago

              Signal does have a fallback if FCM is unavailable. It supposedly uses slightly more battery, but I can’t say I noticed it. I’ve swapped to using Molly which is a fork of Signal which implements UnifiedPush (among some other features).