• nutbutter@discuss.tchncs.de
    link
    fedilink
    arrow-up
    6
    arrow-down
    1
    ·
    2 months ago

    Yes, they can read the data. But apps like Molly (Signal Fork) send encrypted notifications. So, the time and some other metadata may be read by the server, but the content and contact won’t be visible in plain text.

    • dracs@programming.dev
      link
      fedilink
      English
      arrow-up
      5
      ·
      edit-2
      2 months ago

      For Signal/Molly, it’s less that the notification is encrypted as I understand it. It’s more the notification content is just “Hey! Stuff happened” for Signal. The app then reaches out directly to the Signal servers to see what’s new. So the message content is never sent via the push notification service (UnifiedPush or Google’s service).

        • dracs@programming.dev
          link
          fedilink
          English
          arrow-up
          2
          ·
          2 months ago

          I’m self hosting both too. MollySocket’s docs are pretty clear that it never gets an encryption key for your account, so it can’t read your messages. It only gets/forwards alerts that something happened on your account AFAIK. So I’m not sure what data it has that’s worth encrypting.

            • dracs@programming.dev
              link
              fedilink
              English
              arrow-up
              1
              ·
              2 months ago

              The UnifiedPush server is intended to be a single source your phone can keep a persistent connection open to, rather than needing a connection per service/app (this is how Google’s Firebase notifications work too).

              As Signal doesn’t support UnifiedPush, MollySocket keeps a permanent connection open to Signal’s servers to listen for new activity and forward them to your UnifiedPush server. This saves your phone keeping a permanent connection open to Signal’s servers and draining your mobile battery more.

    • Kalcifer@sh.itjust.worksOP
      link
      fedilink
      arrow-up
      1
      ·
      1 month ago

      Yes, they can read the data.

      Isn’t this contradicting the Unified Push spec? It states:

      Push message: This is an array of bytes (ByteArray) sent by the application server to the push server. The distributor sends this message to the end user application. It MUST be the raw POST data received by the push server (or the rewrite proxy if present). The message MUST be an encrypted content that follows RFC8291. Its size is between 1 and 4096 bytes (inclusive). [1]

      References
      1. Unified Push spec. Unified Push. Accessed: 2024-11-22T05:07Z. https://unifiedpush.org/developers/spec/android/
        • “Developers/Specifications/Android”. §“Resources”