I just started my de-googling journey recently, and so the mechanics of notifications were still unclear to me, and I found this video super helpful.

It explains how most mobile messaging apps (including privacy-focused ones like Signal) rely on Google and Apple’s centralized servers to deliver push notifications, which exposes vast amounts of user metadata.

Here’s the YT link, for people who prefer it: https://youtu.be/c3ennD3wKn0

  • csolisr@hub.azkware.net
    link
    fedilink
    arrow-up
    17
    ·
    29 days ago

    This is the reason why I went out of my way to use Molly (a fork of Signal), since it supports delivering the push notifications through a self-hosted server instead. Unfortunately the process is complex: it requires both a method to deliver the notifications to your phone via UnifiedPush (an alternative to Google’s push system that generally suffices on its own) and a compatibility service called MollySocket (that bridges Signal’s notifications with the UnifiedPush provider). Both typically need a self-hosted server and specific configuration to talk to each other though. And I don’t even have any contacts that use Signal anymore, so, well…!

  • Aporia@lemmy.ml
    link
    fedilink
    arrow-up
    6
    ·
    29 days ago

    From what I recall, Google would be able to see our device received a notification and when but not the actual message nor sender/recipient identity.

    I think that’s fine for my threat model.

    Molly seems like a potential alternative though since its a signal fork and supports UnifiedPush so you can choose a different notification supplier like ntfy or sunup