Hacker News

I think one of the main issues is that end-to-end message encryption is a sham as long as backups are not encrypted. I could have good device security, but if the person I'm talking to does not use ADP, iMessage and WhatsApp messages get backed up with only at-rest encryption (I think Signal opts out of standard iOS backups) and possibly the same for backups of the iPhone notification database (which the article suggests as a possibility).

Similarly on Android, WhatsApp suggests unencrypted backups to Google Drive by default.

Putting on my tinfoil hat, I am pretty sure that Google/Apple/Meta have some deal (successor to PRISM) where end-to-end encrypted messaging is tolerated as long as they have defaults that make it possible to access chats anyway. Apple not enabling ADP by default and WhatsApp doing Google Drive backups that are not end-to-end encrypted is the implementation. Since most people just use the defaults, it undermines security of people who care.

It's a 'win-win', the tech companies can wash their hands in innocence, the agencies get access to data, and phone users believe that they are chatting in a secure/private manner.

People keep pushing signal because it is supposedly secure. But it runs on platforms that are so complex with so much eco system garbage that there is no way know even within a low percentage of confidence if you've done everything required to ensure you are communicating just with the person you think you are. There could be listeners at just about every layer and that is still without looking at the meta-data angle which is just as important (who communicated with who and when, and possibly from where).

The median user isn't going to change default settings, so your app is as secure as whatever the default it.

Use SimpleX if you really want a secure messenger. Endorsed by Whonix, which in endorsed by Snowden.

https://www.whonix.org/wiki/Chat#Recommendation

Just to clarify, this is within the Signal app settings—not the OS (iOS or Android) system settings.

Critical distinction, as merely changing OS notification settings will simply prevent notification content from being displayed on-screen.

I allway say it: it is the defaults, stupid (paraphrasign).

The Defaults have to be the most sensitive ones.

If you are a supposed super secure app, this should be the default.

Fwiw, in my Signal app on Android this setting is in

Settings > Notifications > Messages > Show

Disable Apple Intelligence summaries for sensitive app notifications too.

I guess enabling Lockdown mode might avoid this particular issue too, together with a bunch of other stuff?

Originally enabled it just to avoid awkward moments

WhatsApp supports this too.

Settings > Notifications > Show preview

This seems to be the default for me, at least on Android.

Signal developer here. It's just because notification reliability is always a top support complaint, and a lot of people turn off notifications and don't realize they've done so. Admittedly, once a month is likely too aggressive.

> why does it keep asking?

Why does any software keep asking you to do things you explicitly told them you don't want to do? Because it's in the software developer's best interest to get you to do them, not yours. We've gotten way past the point in software where we no longer expect the software to serve the user's interest and solve the user's problems. Now, the expectation is that the user gets nagged and coerced into serving the software's interest and solving the developers' problems.

EDIT: Looks like a developer confirmed this in a sibling comment already: It nags you because that solves their support problem.

Messaging platforms where people receive and promptly respond to messages are more successful in the long run. That's why SMS overtook email. If you own a messaging platform there isn't anything inherently nefarious about pushing people to enable notifications.

Pretty sure that's just iOS behavior + app design. If notifications are off, apps will occasionally prompt again to make sure you didn't disable them by accident or miss something

Reminds me what Whatsapp if you set up a 2FA PIN, which forces you to type it about every week to check if you forgot it. So annoying.

NSL, perhaps?

Not sure if it's exactly the same, but I had to add a When notification arrives with <message>, do <action> event trigger in my Crank macOS app (https://lowtechguys.com/crank) so I can show you how to do it on macOS:

      HOURS=6
      EPOCH_DIFF=978307200
      SINCE=$(echo "$(date +%s) - $EPOCH_DIFF - $HOURS * 3600" | bc)

      sqlite3 ~/Library/Group\ Containers/group.com.apple.usernoted/db2/db \
        "SELECT r.delivered_date, COALESCE(a.identifier, 'unknown'), hex(r.data)
        FROM record r
        LEFT JOIN app a ON r.app_id = a.app_id
        WHERE r.delivered_date > $SINCE
        ORDER BY r.delivered_date ASC;" \
      | while IFS='|' read -r cfdate bundle hexdata; do
          date -r $(echo "$cfdate + $EPOCH_DIFF" | bc | cut -d. -f1) '+%Y-%m-%d %H:%M:%S'
          echo "  app: $bundle"
          echo "$hexdata" | xxd -r -p > /tmp/notif.plist
          plutil -p /tmp/notif.plist 2>/dev/null \
            | grep -E '"(titl|title|subt|subtitle|body|message)"' \
            | sed 's/^  */  /'
          echo "---"
      done

In recent years, filesystem paths for system services have started to converge for both macOS and iOS so I'm thinking with jailbreak you could get read access to that database and get the same data out of it.

On android there are apps that let you see the history - i use NotiStar occasionally to see if i unwittingly dismissed important notifications. And i believe there are apps/settings that help you clear the history from the device.

But this is a reminder that these centralized notification infrastructure (FCM and APNs) store notification content (if the app is told to send content in it - signal with option enabled wouldn't send content) even if we clear local history these middleman still hold it

So I wonder about this. The quote from the 404 media article [0] is:

“We learned that specifically on iPhones, if one’s settings in the Signal app allow for message notifications and previews to show up on the lock screen, [then] the iPhone will internally store those notifications/message previews in the internal memory of the device,” a supporter of the defendants who was taking notes during the trial told 404 Media

The default setting appears to be to only show notification preview when unlocked. Will that notification still be stored unencrypted in notification storage or is it in an encrypted store because it will preview after unlock?

It makes sense that any notification that previews on the lock screen would be unencrypted (including the case where it is encrypted but the encryption key is adjacently stored).

This all reads to me that this was a user induced OPSEC issue and Signal had the right defaults.

[0] https://archive.is/bSQhD#selection-619.0-622.0

On a Pixel, I can see some history by going to

Android > Settings > Notifications > Manage > Notification History

On android its quite easy. There is a page of a protocol address that has all notifications show. I used to have a shortcut to it. It has been years since I was on android.

But it was really useful each time I did not see a notification in time.

Edit: typo

You don't, at least not without forensics tools

I wonder how long does the system store those notifications

In my recollection, which may be imperfect:

1. On android if Google Play isn't available (or you install the no Google apk version) it'll use a websocket for notifications. Apple doesn't allow a persistent connection except through their own notification framework.

2. In either case Signal doesn't send message contents through the notification framework (not even encrypted). Once Signal receives a notification the app wakes up and reaches out to the signal service directly for actual encrypted message.

3. Regardless when signal shows the contents of your message in the notification menu of your device your device keeps a record on your device of that message content.

The FBI here didn't get anything from apple, once they had the apple device unlocked they looked at the notification database on the device to get the message contents. This isn't really any different from the fact that if the FBI has your unlocked phone they can read your signal messages. The notable bit is that the notification database retains messages even after the app is deleted.

There is no other way to send push notifications on iOS, you have to use APNS. When the app is active you can switch to your own local socket connection, but as soon as it goes into the background those connections are lost. Pushes can also start the app in the background if it hasn't been used in a while and has been evicted by the OS.

You can send push notifications with your own encryption on top, which I believe Signal does, so Apple can't see it on the APNS side, but your local extension to decrypt the content is still subject to the user's settings, and part of the notification history if you put message content in the notification.

I know it’s not germane to the Signal issue, but this caught my eye, “who previously pleaded guilty to providing material support to terrorists”.

The case comes with a long statement about the Antifa “organization”. Just your weekly reminder we are living under an Orwellian administration. https://www.justice.gov/opa/pr/antifa-cell-members-convicted...

Yes and no. Court cases certainly will disclose what capabilities various parties have come up with when it comes to security. However, there are documented cases where the government chooses to abandon prosecution for the sole purpose of preventing disclosure of some of their cyber capabilities.

True, court cases are one of the few times details actually surface

The recent Trivy / LiteLLM mess was also a security thing, and seems rather different.

The problem is that, in the current environment of dishonest and corrupt states, "what actually happens in reality" isn't the same as what happens in court because of parallel construction.

“Only a small minority of users know about settings and how to change them. The vast majority of users do not change default settings.”

Even worse, whatever critical settings you may set as a sophisticated user will frequently be reset, or changed, or re-organized under different settings… And of course, set back to insecure defaults… With subsequent software updates.

This is a regular occurrence with Firefox and privacy settings.

Whatever the actual impetus is, we should act as if this is intentional.

If you care about security at all, you disable any previews on the lock screen. The lock screen is by definition visible to anyone without any authorization. Showing anything on it immediately destroys any secrecy. It must be obvious to anyone capable of elementary logic inference.

If you don't know how to disable it, you use your favorite search engine / LLM / knowledgeable relative to find out, and disable it.

But if you just didn't pay attention, "never thought about it", you don't care about security, and no amount of technical means would help, sorry.

Imagine a parallel universe where stories about use of personal computers were written from a different perspective. For example,

"However, it appears Apple's system uses a default setting which, in turn, seemingly allowed it to store the defandant's content in Apple's database"

instead of

"However, it appears the defendant did not have that setting enabled which, in turn, seemingly allowed the system to stoire the content in the database"

In the later version, the defendant, namely his inaction in not changing a default setting, appears solely responsible for the outcome. And the actor that placed a copy of his incoming messages in a database that the actor created is referred to as "the system", not the corporation that wrote the system and sold the computer with this system pre-instaalled

> Only a small minority of users know about settings and how to change them.

I couldn't believe this so went to look up some data on this.

Holy FUCK that is bleak. There needs to be way more computer education, not just "how2type" classes.

That's unfortunately less informative if you aren't already one of their subscribers.

It's one of those problems where as soon as someone notices, it's crazy that no one noticed. I can't imagine this not being overhauled going forward. It's just a bad way to operate and now it's news.

I think that's how the Android notification history works. If I uninstall an app, the entries in the history aren't shown anymore. You also have to opt in to notification history and toggling it off and back on clears the old entries. There's also a time window that it keeps entries for: https://source.android.com/docs/core/display/notification-hi...

If it never hits flash that might work, but if it's in flash storage then the block may not be erased by the time its dumped.

I'm not sure precisely how the NAND controller responds to requests for raw data from blocks with "deleted" data. And if this would require decapping the flash.

Some flash will happily let you see the data and delay erasing it.

Generally flash is non deterministic about when blocks even those with entirely stale data are erased . It might be years before the block is reused due to wear leveling algorithms and it might retain data that entire time.

Here's hoping the controller for phones which hold sensitive data are more active

If the "database" works like most other databases (eg. postgres or sqlite), deleting a row doesn't immediately cause the data to be wiped from disk, for performance reasons. Then as others mentioned you have filesystem/SSD logic that does something similar on top of that.

Signal creates the notification, does it not? That's like claiming `echo "my_private_data" | notify-send` is insecure.

If piping encrypted content resulted in a plaintext notification then you'd have a right to be concerned.

AIUI, Signal push notifications just saying a message was received. Signal then fetches the E2E encrypted message from the server and decrypts it locally. So Apple/Google cannot read the messages, nor can Signal servers.

If the notification has the data, then yes. It's trivial to create an app that listens to notifications; Samsung even has one themselves called NotiStar that replicates the notification history feature that Android normally has.

I've never seen this happen, maybe you're seeing the "Fetching messages" notification that sometimes pops up for a second?

iOS stores the previously displayed notifications in an internal database, which was used to access the data. It’s outside of Signal’s control, they recommend disabling showing notification content in their settings to prevent this attack vector

You can choose what to show in the notification and there is an option to include the message, so I'm guessing that allowed some unencrypted incoming messages to be read.

This kind of vulnerability is not tied to Signal but all apps which send notification.

They are;

“Messages were recovered from Sharp’s phone through Apple’s internal notification storage—Signal had been removed, but incoming notifications were preserved in internal memory. Only incoming messages were captured (no outgoing).”

ie the messages recovered were 1. incoming 2. stored by the OS after decryption

i also was spooked by the headline :p

What did you use?

The opposite, actually. Signal endlessly nags you to turn on notifications, and when you turn them on, previews and content are shown by default. You cannot opt out of the nags.

Younger people have largely abandonded even physical contact and talk, they ain't going back nowhere.

Probably, but these are people who are being charged for political "crimes" brought mostly because the government doesn't think people have a right to protest. While it's unsurprising that the citizen who discharged their weapon was tried for this, most of the other folks were just doing run-of-the-mill protest stuff.

I also get that in Texas they are fine "criminalizing" protesting, but that's just part of its hyper-authoritarian "charm", and a lot of us don't think that protesting in itself should be criminal.

I think you're on the wrong thread?

What a goofy comment.

The article you're commenting on is about people who obviously would have wanted this disabled, but didn't have it disabled, presumably because they didn't know about this issue.

Victim blaming?

It sounds like they were considering liberating the ICE concentration camp. If you go down that route, you need to be ready for the terrorism charges. They brought rifles and one of them allegedly shot at a cop.

Personally, it's a moral good to free people from a concentration camp, even if it requires violence to do so. However it's also obvious that when you oppose a State, you get hit with terrorism charges. ...unless you're a jan6er, of course.

This feels like it would run against the “I bought my device, I should control how it behaves” line of thinking.

Right. It's purely a protection against MitM snooping. The app has to have the messages in plaintext to display to you via whatever mechanism the OS uses. Seems obvious, but also not, at the same time.

I've found other ways Signal can leak information, even with disappearing messages. It's not the total install-and-be-done privacy screen that some people think it is, and requires a little effort at the user end to fill in a few gaps.

Signal does not send any sensitive information in push notifications sent via APNs [0]. This story concerns the local OS cache of push notifications, which are triggered after E2E decryption has occurred.

[0] https://mastodon.world/@Mer__edith/111563865413484025

The "e" in e2e encryption is a computing device, not the device's user's brain.

In the Signal app itself there's an option to hide the message body or both the sender and body, that way the OS wont have anything to store in the history.

Good. The moment they add it, all kinds of apps will start to abuse it, for "sekhurity" (read: engagement) reasons. See e.g. all the apps that now disallow taking screenshots, for no legitimate reason.

Personally I'd be in favor of a hard app store policy, that if an app notifies you about something, all the importantdetails (like full message text) must be included - specifically to allow the user to view the important information without having to open the app itself.

Prove it.