Governments May Spy on You by Requesting Push Notifications from Apple and Google
8.12.23 Phishing The Hacker News
Unspecified governments have demanded mobile push notification records from Apple and Google users to pursue people of interest, according to U.S. Senator Ron Wyden.
"Push notifications are alerts sent by phone apps to users' smartphones," Wyden said.
"These alerts pass through a digital post office run by the phone operating system provider -- overwhelmingly Apple or Google. Because of that structure, the two companies have visibility into how their customers use apps and could be compelled to provide this information to U.S. or foreign governments."
Wyden, in a letter to U.S. Attorney General Merrick Garland, said both Apple and Google confirmed receiving such requests but noted that information about the practice was restricted from public release by the U.S. government, raising questions about the transparency of legal demands they receive from governments.
When mobile apps for Android and iOS send push notifications to users' devices, they are routed through Apple and Google's own infrastructure known as the Apple Push Notification (APN) service and Firebase Cloud Messaging, respectively. Microsoft and Amazon have similar systems in place called Windows Push Notification Service (WNS) and Amazon Device Messaging (ADM).
As a result, the letter alleges that both companies can be compelled by governments to hand over the information. It's currently not clear which governments have sought notification data from Apple and Google.
That said, the U.S. is one among them, according to the Washington Post, which found more than two dozen search warrant applications related to federal requests for push notification data.
"The data these two companies receive includes metadata, detailing which app received a notification and when, as well as the phone and associated Apple or Google account to which that notification was intended to be delivered," the letter read.
"In certain instances, they also might also receive unencrypted content, which could range from backend directives for the app to the actual text displayed to a user in an app notification."
It also urged that Apple and Google should be permitted to disclose whether they have facilitated this practice, and if so, publish aggregate statistics about the number of demands they receive, and notify specific customers about demands for their data.
In a statement shared with Reuters, which first reported the development, Apple said the letter gave them the "opening" they needed to share more details about how governments monitored push notifications.
"When users allow an application they have installed to receive push notifications, an Apple Push Notification Service (APNs) token is generated and registered to that developer and device," Apple now notes in its updated Legal Process Guidelines document [PDF].
"Some apps may have multiple APNs tokens for one account on one device to differentiate between messages and multi-media. The Apple ID associated with a registered APNs token may be obtained with a subpoena or greater legal process."
Google, meanwhile, noted that it already publishes this information in its transparency reports although it's not specifically broken down by government requests for push notification records.