Honestly I have a much much much MUCH MUCH bigger issue with the fact that it is an American and Centralised service.
FBI still can't access it though.
this post was submitted on 07 Apr 2026
163 points (97.7% liked)
Technology
83564 readers
2551 users here now
This is a most excellent place for technology news and articles.
Our Rules
- Follow the lemmy.world rules.
- Only tech related news or articles.
- Be excellent to each other!
- Mod approved content bots can post up to 10 articles per day.
- Threads asking for personal tech support may be deleted.
- Politics threads may be removed.
- No memes allowed as posts, OK to post as comments.
- Only approved bots from the list below, this includes using AI responses and summaries. To ask if your bot can be added please contact a mod.
- Check for duplicates before posting, duplicates may be removed
- Accounts 7 days and younger will have their posts automatically removed.
Approved Bots
founded 2 years ago
MODERATORS
But Apple told me in an ad that they're better for privacy?!?
And you believed that?? Do you also believe Micro$lop when they tell you that Windows is the best OS?
Basically, they didn't do this:
(I'm on Android, so I don't know what the options look like in iOS, but they should be identical.)
They shouldn't have had to do this though.
They are similar
You also don't need to do this on Android unless you are concerned about random people seeing the messages on your screen. Signal on Android does not use Google's push notification service
You most certainly do. I looked in my notification history in my founding of signal messages.
Then I turned off my notification history.
It would be nice if Signal let you do this per conversation.
It's sort of a victim of its own success, I use it for both things that do and don't require opsec
So you are telling me an app is encrypting the shit out of every message so it can secretly delivered to another person. An then the persons phone decrypts the message and broadcasts it to an apple server, so it can get send back and make the phone go 'ding'?
Shouldnt the notification be handled inside signal somehow, so this is the only app with the decrypted message?
What is next, everything from my ram needs to go through google servers to be transmitted to my display?
The Signal server would send a backend notification to the client app via the Apple Push Notification Service. The app is then able to wake up, at which point it fetches new messages (securely) from the Signal servers. The app then generates a local notification with a preview of the received message. iOS is then logging those messages.
I learned about this a couple of months ago and I've since disabled previews in notifications. It's unfortunately the nature of how notifications are delivered to you. You should be fine by disabling message previews in your notification settings.
Yup,
https://www.privacyguides.org/articles/2022/07/07/signal-configuration-and-hardening/
Among other things
I think on android, signal do not use Google's push notification. They simple send a dummy push, and the signal app wakes up to retrive the latest message directly from signal server.
So Google never have your notification content. I am not sure if they do the same on iOS.
That being said if your attack model includes people reading your notification lock screen, then you should disable showing signal notification.
The message preview notification is handled similarly in IOS and Android. The issue isn't people seeing the notification, it's that the content of the message being passed to the phone's launcher. Which is unencrypted.
Does that actually prevent the app from sending the content through Apple’s servers or does it just prevent iOS from showing it in the notification area?
The only way apple is seeing it is when the notification is displayed. It only sees the contents of the notification itself. So it would still see who sent you a message, but it wouldn't say what it was
It's worth noting apps can avoid this on Android: https://tuta.com/blog/google-push-alternative#alternatives-to-google-push
Any FDroid app cannot use Firebase for push notifications since it's proprietary: https://forum.f-droid.org/t/firebase-allowed-in-fdroid-apps/7540
It's not because of push notifications. the message is not sent to firebase, just a signal that the app should do a refresh.
It's because the system saves the notifications apps posted to the notification menu.
but yes. don't use firebase push notifications if you can avoid it. use a unifiedpush based system. base signal app does not support it, only molly. there are some difficulties though with that that are unique to signal.
This has been done before and is already pretty well known.
When I saw it hit the news before, it was because they were reading notifications off Google servers, which contained at least part of the message. Not because they were reading the device's notification history.
That's true. Technically it's different. The end result is kind of the same though.
This is not always the same on Android. Any app from FDroid will not use Google's push notification service because it is proprietary, meaning it violates the rules for FDroid. Signal does not use Google's notification service
I'm pretty sure Signal has two builds: one with Google service and one without.
It's not because of push notifications. the message is not sent to firebase, just a signal that the app should do a refresh.
It's because the system saves the notifications apps posted to the notification menu.
It’s not because of push notifications. the message is not sent to firebase, just a signal that the app should do a refresh.
Is is 100% because of firebase. Here is an example payload from firebases official document:
{
"message":{
"token":"bk3RNwTe3H0:CI2k_HHwgIpoDKCIZvvDMExUdFQ3P1...",
"notification":{
"title":"Portugal vs. Denmark",
"body":"great match!"
}
}
}
https://firebase.google.com/docs/cloud-messaging/customize-messages/set-message-type
Notification history is purely local to the device. It is not sent to any servers.
that is the documentation of firebase, not signal. firebase just shows a common example there that is easy to implement for beginners and lazy devs. but developers can send whatever they want through firebase. I wouldn't be surprised if that's what facebook messenger is doing, but if a developer cares about their users privacy, they can just send a simple message through firebase, and make the app so that when receiving that, it checks for new messages by itself.
this is what the molly fork does with unifiedpush. the UP server, commonly ntfy.sh, only sees that the mollysocket server sent this to your molly client:
{"urgent": true}
Notification history is purely local to the device. It is not sent to any servers.
I did not claim so. but when your phone is confiscated, it's possible to read that out
Notification history is purely local to the device. It is not sent to any servers.
Yes the notifications were retrieved from the phones local storage. Firebase was not involved in anyway.
Well, of course. All notification contents go through Apple's servers (or Google's in case of Android).
Not all, no. There are alternatives on Android:
The good news is that alternative methods for push notifications are available, namely SSE (Server Sent Events) and WebSockets.
Additionally, a new open source project, UnifiedPush is becoming increasingly popular. UnifiedPush is an open source, private alternative to Google for notifications.
https://tuta.com/blog/google-push-alternative#alternatives-to-google-push
Signal for android uses web sockets for notifications
Why would a notification need to leave my device at all?
A lot of notifications originate off your device.
Because it's FAANG
It's not because of push notifications. the message is not sent to firebase, just a signal that the app should do a refresh.
It's because the system saves the notifications apps posted to the notification menu.
As I already replied om one of your other comments:
It’s not because of push notifications. the message is not sent to firebase, just a signal that the app should do a refresh.
Is is 100% because of firebase. Here is an example payload from firebases official document:
{
"message":{
"token":"bk3RNwTe3H0:CI2k_HHwgIpoDKCIZvvDMExUdFQ3P1...",
"notification":{
"title":"Portugal vs. Denmark",
"body":"great match!"
}
}
}
https://firebase.google.com/docs/cloud-messaging/customize-messages/set-message-type
Notification history is purely local to the device. It is not sent to any servers.
Added the full content of the original post to the body of this thread.