Does this concern any of you, or does it sound overblown? It sure caught my attention, and if true, I would guess it’s got Apple scrambling to fix it! Definitely a bit of egg on the face for a company so focused on privacy and security.
1 Like
Depends on how they got into the phone. If they cracked the iPhone, then yes, it’s a concern. If they had the password (or used facial ID) then the push notification database issue seems much less concerning. Once the FBI is in the house (so to speak) there’s only so much that Apple can do. They should still change it, of course.
1 Like
I can’t read the whole article (no subscription) but the excerpt says the device was in possession of the FBI. So this is a level of access and expertise doesn’t throw much shade on Apple. Signal, on the other hand, might need to rethink how they handle notifications.
1 Like
The article is available via Apple News+ (maybe even without the subscription).
The issue may also involve whether the level of preview allowed when the phone was locked. In the Notification settings, you can set whether the full notification is shown, only basic information is shown, or nothing is shown.
Note: Many providers allow access to many of their articles through Apple News. When I’m locked out of the referenced URL via a paywall, I’ve had great success opening the Apple News version via the News item in the Safari Share Sheet. I do subscribe to Apple News+/
1 Like
The “fix” that makes the most sense is to just set the preference on Signal to not display notifications, or not display content and metadata in notifications.
If you think about it, it kind of defeats the purpose of a secure messenger if you turn around and tell it “yeah, keep everything secure and encrypted but also share all my messages with a notification provider that possibly even shows that information on a locked device.” (From what I’ve observed in the wild, many people apparently have their devices set to show notifications even when locked.)
What should probably change is that Signal should default to not putting any metadata or content into the notifications. Changing from that default should then prompt a warning.
I’m not sure what kind of fix Apple could provide. Even if they put end-to-end encryption on the notification service, and extended it to the database of stored notifications, the device would still have to have the decryption key. There is some evidence that Apple might be storing more information than they have to for longer than they have to, but I think you’ve already given away the game when you’ve decided to route all your messages through Apple in plaintext.
Bottom line is that secure messaging and plaintext notifications just don’t mix.
4 Likes
In this particular case, deleting any unread notifications, plus maybe any references to the app in logs, when the app is deleted from the device from the notification database would have been a smart policy. That’s probably the one thing Apple could do.
Users who worry about forensic examination of their phones should just turn off notifications altogether and just periodically check for new messages. But that’s not anything Apple could fix.
1 Like
In this particular case, deleting any unread notifications, plus maybe any references to the app in logs, when the app is deleted from the device from the notification database would have been a smart policy. That’s probably the one thing Apple could do.
That was the big red flag to me. Why on earth wouldn’t it already be standard procedure to delete any data related to an app when it’s deleted??
Because someone didn’t think it through all the various spots data might be cached and left this particular spot vulnerable? Or vulnerable after someone has gotten physical possession of the phone and broken through the passcode. So, yes, fix it, but no, I’m not calling this an “embarrassment” for Apple.
1 Like
Because such a thing is far from trivial. That would mean scouring all the logs, and modifying old log entries is kind of antithetical to the concept of logging. It would mean searching and scrubbing all filesystem snapshots and, again, snapshots are made for a reason and deleting/modifying them could easily have far-reaching consequences. Getting rid of filesystem cruft is also a lot harder than just zeroing free space, and we don’t even do that because it has implications for the life of the storage media and performance impacts. There can be traces of application data left in swap files and system data structures. There are manifests to keep track of what software was installed and removed, and when. Scrubbing those would likely break other things.
Of course, just because it can’t be done perfectly isn’t an excuse to not even try but, seriously…
If you want to stay private, don’t use notifications. And never send something to someone under the assumption that a “disappearing message” feature will have your back.
4 Likes
Okay, point taken, especially about realizing that notifications are (or can be) a privacy-defeating feature. That said, I still think it’s surprising that any app-specific notifications would remain in a database somewhere even after that app is deleted.
And I’m not calling this an ‘embarrassment’ for Apple either, but for a company that endlessly touts itself as the most privacy-focused tech giant, it’s definitely surprising.
There’s a difference between protecting users against malicious/spying web sites and protecting a device against forensic analysis by a government agency.
Also note that Apple routinely complies with requests from law enforcement agencies. They can’t (by design) bypass a device’s pass-code or end-to-end encryption, but they have not refused legitimate law enforcement requests that are within the company’s power to comply (e.g., providing data stored in iCloud).
As for “most” privacy-focused, do you think Google would be any better?
1 Like
The reason they’re the most privacy-focused tech giant is not that, unsurprisingly, they sometimes have security issues, but that they aim to fix them. Unlike, eg, Google, Meta, etc., I trust that Apple will work very hard to close this.
3 Likes
As for “most” privacy-focused, do you think Google would be any better?
That was my point; of course not. Google is the least privacy focused, by far. Apple is virtually alone in this regard, which is why I was so surprised to hear this.
Maybe, though I can imagine scenarios where you might want to keep logs and other information even after deleting the app that triggered the entries, especially for businesses and other organizations, but also for personal use, too.
Probably the “correct” thing would be to improve the alert that occurs when deleting an app to clarify what is kept and what isn’t, perhaps with an option to delete data within logs and various databases. That can be problematic in some organizations, though, and it might not be as simple to do technically as it seems at first glance.
By the way, lurking in the background is the question of backups and data retention. Even if you don’t have a legal/regulatory requirement to keep logs and other data, you may have all sorts of sensitive information stored in backups long after you deleted the original data. Of course, that’s one reason to use strong encryption on your backups.
1 Like