I am a firm believer that there are many privacy techniques you should focus on before encrypted messaging because they will offer you much more “bang for your buck,” things like good passwords, two-factor authentication, and even encrypted email. That said, I still believe that encrypted messaging is a critical part of a well-rounded privacy and security strategy. While the vast majority of our day-to-day conversations may be benign, it can still offer a lot of insight into who we are as people – our routines, likes, and personal thoughts. This information – mundane or not – is worth protecting.

  • kitnaht@lemmy.world
    link
    fedilink
    arrow-up
    53
    ·
    3 months ago

    Another basic thing – If your messenger is throwing your messages in a notification; it’s being logged. Google was found to be logging almost all notification content. Make sure your message app isn’t putting the content of messages into notifications.

    • GustavoFring@lemmy.world
      link
      fedilink
      arrow-up
      21
      ·
      3 months ago

      If the app implements their own notification system and doesn’t rely on GCM then Google isn’t able to log them as far as I know.

      • xh3ynd@fedia.io
        link
        fedilink
        arrow-up
        10
        ·
        3 months ago

        UnifiedPush instead of their own implantation would be better for power consumption ig.

        Overall a choice between which Notifier you want to choose would be nice.

        Between the apps own notifier and UnifiedPush (also has a Fallback to GCM if wanted)

        • JustMarkov@lemmy.ml
          link
          fedilink
          English
          arrow-up
          18
          ·
          edit-2
          3 months ago

          I can throw a few examples:

          • SimpleX
          • Threema Libre
          • Briar (afaik)
          • Conversations (XMPP client)
          • FluffyChat (matrix client), probably some others too
          • Telegram FOSS (Telegram fork), Mercurygram (Telegram FOSS fork)
          • Molly (Signal fork)
          • Session F-Droid (Session fork)

          So, the answer is — almost every of them.

          • BrikoX@lemmy.zipOP
            link
            fedilink
            English
            arrow-up
            9
            ·
            3 months ago

            Element X (Matrix client). Basically anything that offers F-Droid or open source release will have builds without built-in notifications. Play Store/App Store builds requires using native notification systems.

            • Possibly linux@lemmy.zip
              link
              fedilink
              English
              arrow-up
              14
              ·
              3 months ago

              Signal has a ton of the dependence on proprietary software. You won’t find Signal on F-droid.

              Best option is Molly foss

              • Possibly linux@lemmy.zip
                link
                fedilink
                English
                arrow-up
                3
                ·
                3 months ago

                I just run it in the background. It pulls almost no battery so it is a non issue.

                Also getting it to work with Unified push requires extra effort.

                • chevy9294@monero.town
                  link
                  fedilink
                  English
                  arrow-up
                  1
                  ·
                  3 months ago

                  I would do the same but it uses too much battery for me so I had to figure out how to self-host ntfy and mollysocket.

                • JustMarkov@lemmy.ml
                  link
                  fedilink
                  English
                  arrow-up
                  1
                  ·
                  edit-2
                  3 months ago

                  Yeah, configuring a mollysocket requires at least a little self-hosting knowledge.

    • Possibly linux@lemmy.zip
      link
      fedilink
      English
      arrow-up
      8
      ·
      edit-2
      3 months ago

      Unless you don’t have Google or Apple services.

      Also I don’t think they log the normal Android notification mechanism. (Not push)

      • kitnaht@lemmy.world
        link
        fedilink
        arrow-up
        1
        ·
        3 months ago

        Yeah, if it’s a local notification, they’re not logging that – so far as I’m aware at this point in time.

    • 🏝Skoob🏝@sh.itjust.works
      link
      fedilink
      arrow-up
      8
      ·
      3 months ago

      Now this is why I read comments. You’re absolutely right and I knew this info and just hadn’t put the two together. Thank you. Settings changed.

    • MigratingtoLemmy@lemmy.world
      link
      fedilink
      English
      arrow-up
      3
      ·
      3 months ago

      That’s if they use Google’s push notification backend on firebase. FOSS apps from F-droid usually don’t.

      Tl;Dr install F-droid damnit

    • /home/pineapplelover@lemm.ee
      link
      fedilink
      arrow-up
      2
      ·
      3 months ago

      Molly uses UnifiedPush, so definitely try that. Also, Google may log notifications but they can’t read the messages iirc. Maybe they get some metadata idk.

    • communism@lemmy.ml
      link
      fedilink
      arrow-up
      1
      ·
      3 months ago

      You can also just use a degoogled os which won’t be logging your notification content. But in any case you shouldn’t have notifications as notifications are exclusive with at-rest encryption (or I guess you could have at-rest encryption but just have the db constantly decrypted whenever your phone is on? Seems to defeat the point then)

        • JustMarkov@lemmy.ml
          link
          fedilink
          English
          arrow-up
          8
          ·
          edit-2
          3 months ago

          Which DeGoogled OS do you know of that uses their own notification backend?

          You don’t need one. Just use any degoogled ROM with UnifindPush, as almost every secure messenger support it. If not, notifications can still show up via websocket.

        • communism@lemmy.ml
          link
          fedilink
          arrow-up
          4
          ·
          3 months ago

          Presumably any degoogled OS would remove that kind of telemetry—it seems like quite an obvious oversight if they continue to send notification contents to Google’s servers? If the suggestion is that it’s through a backdoor, then that’s the responsibility of the open source community to spot the backdoor in the AOSP.

    • pathief@lemmy.world
      link
      fedilink
      arrow-up
      1
      ·
      edit-2
      3 months ago

      If I remember correctly, it depends on the notification strategy. If your service is throwing the entire message into the Google Play Services, that’s gonna get logged.

      But you can just send a “wake up” message the your app, which then contacts the server privately to see what’s up. I believe this is what Signal does.

      There’s no perfect solution, if every app installed their own notification service your battery would die. There are custom, more private, play services out there but let’s face it… the vast vast majority of users never even heard of them.

    • chevy9294@monero.town
      link
      fedilink
      English
      arrow-up
      1
      ·
      edit-2
      3 months ago

      Or you can uninstall/disable google services and inatall something like ntfy. Molly-UP (signal fork) supports that.

    • themadcodger@kbin.earth
      link
      fedilink
      arrow-up
      0
      ·
      3 months ago

      Do they also log everything that comes through a private ntfy server? Or just what goes through their notifications?

      • kitnaht@lemmy.world
        link
        fedilink
        arrow-up
        2
        ·
        3 months ago

        NTFY uses the same mechanic that they do for push notifications; it keeps an open socket and then just communicates across the socket. So they shouldn’t be keeping track of that, so far as I understand the AOSP codebase.