Push notifications are widely used in Android apps to show users timely and potentially sensitive information outside the apps’ regular user interface. Google’s Firebase Cloud Messaging (FCM) is the default service for sending push notification messages to Android devices. While it does provide transport layer security, it does not offer message protection to prevent access or detect modifications by the push notification service provider or other entities-in-the-middle. App developers need to implement their own message protection schemes to protect the content from such threats. We present and discuss an in-depth mixed-methods study of push notification message security and privacy in Android apps. We statically analyze a representative set of 100,000 up-to-date and popular Android apps from Google Play to get an overview of push notification usage in the wild. In an in-depth follow-up analysis of 60 apps, we gain detailed insights into the leaked content and what some developers do to protect the messages. We find that (a) about half of the analyzed apps use push notifications, (b) about half of the in-depth analyzed messaging apps do not protect their push notifications, allowing access to sensitive data that jeopardizes users’ security and privacy and (c) the means of protection lack a standardized approach, manifesting in various developer-defined encryption schemes, custom protocols, or out-of-band communication methods. Our research provides initial insights into the use of end-to-end protection of push notifications in practice. It highlights gaps in developer-centric security regarding appropriate technologies and supporting measures that researchers and platform providers should address.
2024-08-05
2024-10-10