Alaknar
commented
7 months ago Here's a Reuters article on why is that important:
Governments spying on Apple, Google users through push notifications - US senator
Open ghost opened 7 months ago
Alaknar
commented
7 months ago Here's a Reuters article on why is that important:
Governments spying on Apple, Google users through push notifications - US senator
Privat33r-dev
commented
7 months ago @cody-signal @dev-aniketj maybe it can be escalated?
The situation raises security concerns. If data sent with FCM is unencrypted, then message data may be compromised. By the very least metadata is leaking.
codethief
commented
7 months ago @ghost At least the standalone Signal APK uses FCM opportunistically and falls back to using a WebSocket if Google Play Services are not available, see also https://github.com/signalapp/Signal-Android/issues/1000 and https://github.com/signalapp/Signal-Android/commit/1669731329bcc32c84e33035a67a2fc22444c24b.
Now, the question is whether "available" means "installed on the phone" or "network connection can be established". If it's the former, your DNSFilter wouldn't cause Signal to fall back to a WebSocket since Play Services are still available on your device. Looking at the code (see the aforementioned commit) and at the function isGooglePlayServicesAvailable it uses, it looks like it's indeed the former.
Is there a plan to drop GCM/FCM (which as Tutanota highlights “includes Google’s tracking code for analytics purposes”)
As for analytics please see https://github.com/signalapp/Signal-Android/issues/6848#issuecomment-464409912 .
codethief
commented
7 months ago @0xB001
The situation raises security concerns. If data sent with FCM is unencrypted
But it's not. (I have trouble finding an official source right now but here is at least one source and here is another.)
Also note that even Google itself recommends E2E-encrypting push notifications, so on these grounds alone I doubt the Signal developers didn't do their homework.
Alaknar
commented
7 months ago @0xB001
The situation raises security concerns. If data sent with FCM is unencrypted
But it's not.
It's not about encryption. From the Reuters article:
Wyden's letter cited a "tip" as the source of the information about the surveillance. His staff did not elaborate on the tip, but a source familiar with the matter confirmed that both foreign and U.S. government agencies have been asking Apple and Google for metadata related to push notifications to, for example, help tie anonymous users of messaging apps to specific Apple or Google accounts.
codethief
commented
7 months ago @Alaknar
It's not about encryption.
I was addressing @0xB001's comment which was talking about encryption.
Regarding your comment and the Reuters article you posted:
U.S. government agencies have been asking Apple and Google for metadata related to push notifications to, for example, help tie anonymous users of messaging apps to specific Apple or Google accounts.
What is the "metadata" here? That you're using Signal at all? They already know this if you installed Signal through Google Play Store. If you see a real issue here I'd suggest you open a separate ticket.
Also, last time I checked I could use Google Play Services/FCM on my phone without logging in with my Google account. And, once again, you can use Signal entirely without FCM (at the cost of battery life).
In any case, I think we should continue the discussion here -> https://community.signalusers.org/t/use-gcm-fcm-alternatives-for-notifications/10264/43
Privat33r-dev
commented
7 months ago @codethief thank you so much for clarifications and detailed response.
BentiGorlich
commented
7 months ago I would love it if signal would support UnifiedPush via Ntfy
ghost
commented
7 months ago Any updates?
schklom
commented
5 months ago @BentiGorlich Molly-UP (https://github.com/mollyim/mollyim-android-unifiedpush/) does, it is a fork of Signal with UP and no Google stuff :) Although, it requires a small server.
NilsRenaud
commented
2 months ago Any updates on this issue ?
stale[bot]
commented
2 days ago This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.
schklom
commented
2 days ago @NilsRenaud If you can convince a signal dev to take a look at this :P
Hi,
It seems weird that Signal still relies on GCM/FCM for notifications.
Even with Signal APK downloaded from the website, and having whitelisted Signal in DNSfilter (personalDNSfilter | F-Droid - Free and Open Source Android App Repository 3), I can’t receive Signal notifications if I do not open the app, because I blocked GCM/FCM adresses (mtalk.google.com 5, alt1-mtalk.google.com,…) with DNSfilter.
While we trust Signal for keeping the minimum metadata, how can we know what Google keeps if Signal needs to transmit data to their servers for each notification/message ?
Furthermore, curcumventing GCM/FCM has been solved by other android app team, like Tutanota (the blog post also cites Mastodon):
Link to post in blog
Is there a plan to drop GCM/FCM (which as Tutanota highlights “includes Google’s tracking code for analytics purposes”) for SSE (Server Sent Events API) or another alternative ?