Discussion: Privacy of app notifications sent through Apple/Google servers?

I recently came across a Reddit post that claimed all HA notifications to the mobile apps are delivered unencrypted via Google Firebase servers. I’m not sure if Firebase is used for iOS, or just Android, but either way, they are traversing through third-party infrastructure.

In 2023, US Sen. Ron Wyden exposed a tip he received regarding the government tapping into app push-notification data, and compelling the tech companies to keep it secret:

https://www.reuters.com/technology/cybersecurity/governments-spying-apple-google-users-through-push-notifications-us-senator-2023-12-06/

Apps of all kinds rely on push notifications to alert smartphone users to incoming messages, breaking news, and other updates. These are the audible “dings” or visual indicators users get when they receive an email or their sports team wins a game. What users often do not realize is that almost all such notifications travel over Google and Apple’s servers.

That gives the two companies unique insight into the traffic flowing from those apps to their users, and in turn puts them “in a unique position to facilitate government surveillance of how users are using particular apps,” Wyden said. He asked the Department of Justice to “repeal or modify any policies” that hindered public discussions of push notification spying. In a statement, Apple said that Wyden’s letter gave them the opening they needed to share more details with the public about how governments monitored push notifications.

“In this case, the federal government prohibited us from sharing any information,” the company said in a statement. “Now that this method has become public we are updating our transparency reporting to detail these kinds of requests.”

Google said that it shared Wyden’s “commitment to keeping users informed about these requests.” The Department of Justice declined to comment on the push notification surveillance or whether it had prevented Apple or Google from talking about it

So the question is: are the notifications sent between HA and the mobile app built in a way that the message payload is encrypted, or is it send in a way that can be monitored, either for corporate data-mining, or for government surveillance?

I’ve read that privacy focused apps like Signal only send a generic notification ping through the cloud infrastructure that a new notification is pending, and then the client app wakes up to retrieve the encrypted data and assemble the real notification.

I’ve read of other techniques to encrypt the data portion of the notification which is then deciphered on the client device.

So how is this process currently handled by Home Assistant? Should we be concerned about the content of our notifications and who might be intercepting them? Thanks

That is. Disturbing.

So reading the page you posted, I’m a bit confused about what is actually happening.

No notification content is stored on remote servers. Only the required push registration data and a simple counter of the total number of push notifications sent per day per device (for rate-limiting purposes) is kept.

All traffic between your Home Assistant instance, the push infrastructure and your device’s operating system is encrypted with SSL. The contents of the notifications are not encrypted on the Firebase cloud messaging service, thus could be processed by Google.

So nothing is stored…everything is encrypted…but the contents of the notifications are not encrypted and can be processed by Google?

Can anyone eli5 what this all means? What unencrypted content is available for Google to see? If I make a notification that says “Someone is at the front door,” is that content visible to Google, and by extension, the US federal government?