How secure are apple APNS push notifications?

Asked 22/9, 2015 at 14:22 Answered 9/9, 2020 at 1:10

ios security push-notification apple-push-notifications

Does anyone know where the vulnerabilities are in Apple's APN push notification services?

We can ensure that our notifications are sent securely to Apple, so we just need to know whether they can be intercepted from that point?

Motivation: We have built an iOS messaging app that we are making as a 100% secure solution, with some features that have never been exploited before in security.

Averroism answered 22/9, 2015 at 14:22 Comment(5)

Push notification is nothing more than notifying the application it has data/information to look at. You don't send the actually data itself. – Grume 22/9, 2015 at 14:28

@BlackFrog You can send 2kb of data in the payload of the notification – Averroism 22/9, 2015 at 14:32

You can send 2kb of data, but if you are worried about security you would send only an identifier. When the application receives that identifier, the app then at time connect to the server to get the actually data itself. Again, what part of APRS do you think is vulnerable? – Grume 22/9, 2015 at 14:36

I agree that is the normal way of doing things. I just need to know if there is any reason we shouldn't send message body in the push notification. It would be much nicer for the end user if they could read the message in the notification, I just need to be sure this is ok from a security point of view. Is there any readily available way for hackers to intercept the notification is my main question – Averroism 22/9, 2015 at 14:42

All of the push notification data runs through service provider servers (Apple, Google, Microsoft, etc.) and is subject to information requests. If you aren't at least encrypting the bodies, then from a security standpoint you're essentially posting your users' notifications publicly. I say this because there have been examples of tech company employees stealing this kind of data, and additionally because there have been millions of big dragnet requests by agencies for all of the data of people who have ever interacted with a person of interest, etc. – Taipan 16/12, 2023 at 0:58

Apple released the UNNotificationServiceExtension last year, allowing developers to send fully-encrypted notification payloads through APNS and then let the app on the end-user's device itself do the decryption (or load any additional supporting data) before displaying the notification:

The UNNotificationServiceExtension class provides the entry point for a Notification Service app extension, which lets you customize the content of a remote notification before it is delivered to the user. A Notification Service app extension does not present any UI of its own. Instead, it is launched on demand when a notification of the appropriate type is delivered to the user’s device. You use this extension to modify the notification’s content or download content related to the extension. For example, you could use the extension to decrypt an encrypted data block or to download images associated with the notification.

My team is investigating this further as a means to send useful notifications in a fully HIPAA-compliant manner, with no ability for Apple to see the plaintext of the notification. We're optimistic.

Kelleykelli answered 6/2, 2017 at 17:14 Comment(4)

what did your investigations found out ? – Deandreadeane 9/2, 2018 at 15:22

For the most secure applications considering a threat vector of Apple employees and state actors (like how NSA infiltrated Google) then you can: 1) Use UNNotificationServiceExtension 2) Add logrithmic-random delays to messages 3) Send APNS with probability α=0.1 randomly when no such actual message exists 4) Send APNS with probability β=0.9 when a message actually exists. – Eldred 1/1, 2019 at 23:24

We were able to successfully implement the End-to-End encrypted push notifications using the UNNotificationServiceExtension feature. – Diarchy 22/2, 2019 at 20:55

Even when passing through the UNNotificationServiceExtension the notification alerts are eventually handed back to the OS to display to the user at some point. So in short the OS will always get a chance to "see" the alert content before the banner is displayed and doesn't mitigate all insider threat or 0-day threat. The E2EE more-so offers protection in transit and also data security while mitigating almost all threats except for the most paranoid of usecases. A messaging push notification can never be fully e2e secured. It seems this conversation is mostly focused on data though. – Splay 31/3, 2022 at 0:25

Have a look at this article:

The connection between the device itself and the push cloud service is of course secured over a TLS channel.

...

But what about the actual text and other meta data that is sent with the push message from the app cloud service to the app installed on a device. How it is secured? The thing here is that it is always secured in transport as described above but the message itself is in clear text between these transports.

And it is here the problem with users privacy comes in. All push cloud services have every push message, that is sent through their systems, in clear text.

That is they have the ability to analyze, look at, share/sell the data. And they have the risk of getting compromised and loose the data to cyber criminals.

So in general, if you want to be on the safe side, don't send any sensitive data with push notifications. Instead, just use push notifications as a syncing mechanism, so to tell the app that there is new data that needs to be fetched in a secure way that you can control.

Jehovist answered 23/9, 2015 at 9:23 Comment(2)

FYI - that article was written in 2014. The author of that piece since made the following comment on 4 Feb 2017: "With iOS 10 you have the ability to encrypt the payload before you send it from the server and then there is a hook to decrypt it on the phone before it is being displayed in the lock screen/notification center/etc." – Kelleykelli 31/1, 2019 at 16:40

I read this post about OneSignal's and its data policy (it is surprisingly open about it). But if OneSignal is able to get your app user's phone nr, ip addr(locations), browsing behaviour, etc and share(sell) to their partners - how can I ever be sure that Google, Apple, Amazon etc. are not making the same business with user-data (no matter their policy)? We as developers need to acknowledge that we are responsible for creating the data-link between our App-users and tech companies that earn with it – Visby 1/2, 2019 at 12:45

Short answer: You should not include sensitive data into the notifications payload.

More detail: Even though APNs enforces end-to-end, cryptographic validation and authentication using two levels of trust, per Apple documentation, you should not include sensitive data in the payload

Because the delivery of remote notifications is not guaranteed, never include sensitive data or data that can be retrieved by other means in your payload. Instead, use notifications to alert the user to new information or as a signal that your app has data waiting for it.

For example, an email app could use remote notifications to badge the app’s icon or to alert the user that new email is available in a specific account, as opposed to sending the contents of email messages directly. Upon receiving the notification, the app should open a direct connection to your email server to retrieve the email messages.

Encomiast answered 9/9, 2020 at 1:10 Comment(0)

Recommended topics

Hot tags