696
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
this post was submitted on 09 Apr 2026
696 points (99.3% liked)
Technology
84878 readers
3558 users here now
This is a most excellent place for technology news and articles.
Our Rules
- Follow the lemmy.world rules.
- Only tech related news or articles.
- Be excellent to each other!
- Mod approved content bots can post up to 10 articles per day.
- Threads asking for personal tech support may be deleted.
- Politics threads may be removed.
- No memes allowed as posts, OK to post as comments.
- Only approved bots from the list below, this includes using AI responses and summaries. To ask if your bot can be added please contact a mod.
- Check for duplicates before posting, duplicates may be removed
- Accounts 7 days and younger will have their posts automatically removed.
Approved Bots
founded 2 years ago
MODERATORS
I am no Android developer, but can't the push notification payload be encrypted?
https://firebase.google.com/docs/cloud-messaging/encryption
A better question is if Signal does this already.
Signal doesn't send anything in the payload. They just use it to wake the phone up and then download all messages that are waiting to be delivered through the usual encrypted means. All Google knows is that something happened at that time. They don't know anything else.
No, push always leaks metadata to Google. Use molly (signal fork on fdroid) and unified push instead.
So it'll use TLS encryption, meaning that others on your network won't be able to snoop it, but not end-to-end encryption, so Google/Apple servers will see the plaintext of the push notification content.
This is a limitation of the specific implementation of how push notifications work. End-to-end encrypted push notifications would be technically possible but it would require Apple/Google to make it possible. Developers can't implement it without getting you to run some services yourself, either self-hosted or a long-running background process on your phone, which would be a battery drain.
The link you shared isn't really relevant to push notifications specifically.
The best happy medium we can get is to send empty/blank push notifications, which some apps including Signal offer as an option, but you often need to set it that way in the settings. I think Signal does that by default, but very few apps do.
Not true.
The push notification for most messengers is a ping with little to no data in it, telling the app to grab messages directly via TLS. That's how e2e works with push.
As I wrote elsewhere:
I'd disagree with "most messengers" doing that, in my experience, most don't do it by default. Signal is a pretty rare exception to do so by default.
What messenger doesn't? Signal, WhatsApp, Matrix, Snapchat, Discord, Telegram, etc. I'd say "most" is pretty accurate. No idea what Wechat does, but that's a whole different story.
Also not true. What you "see" could have been retrieved post-notification, as described in the message you responded to. What you see has nothing to do with what goes through the push service and is a full technical inacurracy.
I don't know about others, but Mattermost sends everything by default. first to mattermost's server, then from there to firebase/apple. there's a setting to not send message body, but it's not set by default
Hmm, does that mean "most" since it... matters most? Eh? Eh? Ehhhhhhh?
https://docs.mattermost.com/administration-guide/configure/push-notification-server-configuration-settings.html#id-only-push-notifications
Yea not sure why they don't do that by default since they claim they are a Slack competitor. You'd think a corporate entity would want that.