- cross-posted to:
- pulse_of_truth@infosec.pub
- cross-posted to:
- pulse_of_truth@infosec.pub
“App developers can encrypt these messages when they’re stored (in transit they’re protected by TLS) but the associated metadata – the app receiving the notification, the time stamp, and network details – is not encrypted.”
The fix would be different - not have it go through “someone else’s computer”. Whenever “someone else’s computer” is involved, you should just assume they log everything. Even if they don’t do it and don’t want to - they can be silently made to do so.
But there’s also UnifiedPush. If apps used that, you could just selfhost that server. A lot of open source apps do use it. I, for example, have a phone with MicroG and I didn’t enable cloud messaging. I also have a Nextcloud server, where I installed the UnifiedPush provider and I use NextPush on my phone as the UnifiedPush app. Works great and that way a lot of apps I have don’t need to run in the background constantly.