[eridius]

It's pretty weird how the article doesn't even bother to mention that Apple has an official API for doing encrypted notifications, and I really have no idea why these apps are abusing the VOIP stuff instead of using the actual encrypted notification feature. The article quotes someone as claiming APNS isn't reliable, but with zero evidence, and it seems pretty darn reliable for all of the non-encrypted apps using it.

[lacker]

In Apple's API you can send an encrypted message and have the app decrypt it. But you can't send an encrypted blob of data and have the app decide whether that blob of data was a message to be shown to the user, or a different sort of data like a read receipt. So the server needs to be able to differentiate the types of data packets sent from user to user, in order to use Apple's notification API, which is less private.

[oneplane]

And that would be a problem if having 'is typing...' and 'was read' notifications had to be pushed realtime to an app that was in the background. What is the point of those notifications arriving in the app when the user isn't using it.

[freeone3000]

The sender of these notifications doesn't know that the user has closed the app. What this means is that the message send from the sender through the server now has to include whether this is a message or a non-message, which has to be a flag in plaintext.

[oneplane]

But why use background notifications for this type of data in the first place?

[madrox]

From PushKit's documentation:

PushKit notifications also have the following advantages over user notifications:

- The device wakes only when it receives a PushKit notification, which can improve battery life.

- Upon receiving a PushKit notification, the system automatically launches your app if it isn't running. By contrast, user notifications aren't guaranteed to launch your app.

- The system gives your app execution time (potentially in the background) to process PushKit notifications.

- PushKit notifications can include more data than user notifications.

Sounds like PushKit notifications are treated like a full app launch, which gives your code access to APIs which regular push notifications don't give you (trivial example being location) https://developer.apple.com/documentation/pushkit?language=o...

[mobilio]

Correct!

But also some authors uses PushKit to keep their app constantly running in background.

[joecool1029]

> The article quotes someone as claiming APNS isn't reliable

I looked into that, the second answer here gives better but slightly dated insight on the matter, it makes sense: https://security.stackexchange.com/questions/119624/how-is-w...