[timwis]

Something I've often pondered: what about push notifications? Aren't their contents floating around in your phone in plain text?

I've thought about it since I used to use https://www.pushbullet.com/ (a great app, by the way) to show my mobile push notifications on my desktop. Really convenient, but a bit worrisome that an app can read these notifications in the first place!

I'm aware that you can change the notifications to not show their contents, which may resolve this issue, but (a) I imagine they're still being _transmitted_ in full, and (b) most users don't do that, of course.

Anyone know the answer to this?

[TobTobXX]

This is usually done by sending a push message with no content, that just prompts the app to fetch messages whenever new ones are available. Of course, if the App then proceeds to post the message contents to a notification in plaintext, well then... But you can adjust the settings for what to display in the notif and of course just disable the notifications, so no other app will be able to listen.

[psnehanshu]

For that the app must be in foreground. How does WhatsApp manage to be always on the foreground? My app always gets killed by Android.

[self]

On Android, push notifications are handled by a service defined in your application's manifest. The system launches the service when a notification is received, and calls its onMessageReceived() function which you customize to display the notification's layout, add actions to tap events, etc.

https://firebase.google.com/docs/cloud-messaging/android/rec...

[psnehanshu]

Apparantly `onMessageReceived()` is called only when the app is in foreground.

[Larrikin]

I spent a day of my life at work over this annoying confusion. https://firebase.google.com/docs/cloud-messaging/android/rec...

It is counterintuitive, feels arbitrary, and logical thinking will cause you to misread the chart they provide. Whether that method is called is based on the payload of the notification as well as making sure you've properly registered the types of notifications. This is helpfully spread between Android docs and the Firebase docs. The exact differences between the notifications that will trigger this (while still being compatible with iOS) is left as an exercise to the reader.

[tadfisher]

It's not that bad if you completely ignore Firebase and override onHandleIntent. Now you can choose what to do with the message without caring about the difference between "data" and "notification" messages or whether your app is in the foreground.

[pas]

by having a permanent/persistent notification. for example KeePass2Android does it pretty well. (usually when the battery saver kicks in it kills these semi-foreground things.)

when the phone starts the user has to first start the app though (and I found this to be true for Signal, Skype and probably for WhatsApp too)

[psnehanshu]

WhatsApp doesn't have a persistent notification though.

> when the phone starts the user has to first start the app though

Just tested this and this is not the case with WhatsApp. I am on a Samsung and I am not sure if WhatsApp get's any special treatment.

[pas]

ah, I probably misunderstood the context. KeePass2Android does this to prevent Android from putting it to "sleep", which leads to the in-memory unlocked DB getting unloaded.

[iknowstuff]

It used to be that you had to send a silent push to wake the app which would display a local notification. The iOS push API got updated so that now you can send an encrypted payload and modify the notification before displaying: https://developer.apple.com/documentation/usernotifications/...

[qtzfz]

Added in iOS 10 - that is 2016.

[beering]

TobTobXX is correct about how to do push notifs without transmitting the message through Google or Apple servers. This lets the app can fetch the message through its own channels (and you should be able to inspect the push payload coming from Google to verify this).

Once the messaging app has downloaded the message securely, the "end" in "end-to-end" is satisfied and what you do with your notification is your decision. If you elect to explicitly grant Pushbullet permission to read your notifs and forward them to your desktop, then that's your choice I guess.

[jerryzh]

I haven't use the app you mentioned but KDE connect and a notification log app I use both can do this.

I think maybe you forget that they need to first get the accessibility permit before it can read notification, which is a very high level permission in Android. You cannot even grant it directly in normal permission menu and there will be pop up warnings. (Well then there is the question of how many 0day on earth are there in android)

[rektide]

On the web, there is a web push protocol. And a number of extensions which help out.

One of the extensions is Message Encryption, which effectively keeps the message secure during transit at least (but could be more!). Quite important really because most browsers are configured to use push services provided by the browser maker, which are public & high availability. Browsers then ask the push service for their messages.

https://datatracker.ietf.org/doc/html/rfc8291

I rather doubt Signal would have worked with PushBullet but now that it's no longer an SMS client too it's less interesting to think about.

[rubslopes]

I was a Pushbullet user years ago, but it became expensive and bloated (they included a chat service?)

For Android users, there's a free and more flexible alternative: Join https://joaoapps.com/join/

I've been using Join's API for years to send a notification to my phone when my programs are done running with a simple request.

You can also exchange files between your devices using your Google Drive account, and many other features.

[illiac786]

As far as I know you can also have an encrypted payload in the notification, which only the app can decrypt.

I'm not sure that payload can be decrypted by an app without unlocking the phone or launching the app though.

[jacooper]

KDE connect is a good open source alternative for pushbullet.

[ajconway]

iOS and Android allow apps to process push notifications before displaying them.