I just started my de-googling journey recently, and so the mechanics of notifications were still unclear to me, and I found this video super helpful.
It explains how most mobile messaging apps (including privacy-focused ones like Signal) rely on Google and Apple’s centralized servers to deliver push notifications, which exposes vast amounts of user metadata.
Here’s the YT link, for people who prefer it: https://youtu.be/c3ennD3wKn0
From what I recall, Google would be able to see our device received a notification and when but not the actual message nor sender/recipient identity.
I think that’s fine for my threat model.
Molly seems like a potential alternative though since its a signal fork and supports UnifiedPush so you can choose a different notification supplier like ntfy or sunup
This is the reason why I went out of my way to use Molly (a fork of Signal), since it supports delivering the push notifications through a self-hosted server instead. Unfortunately the process is complex: it requires both a method to deliver the notifications to your phone via UnifiedPush (an alternative to Google’s push system that generally suffices on its own) and a compatibility service called MollySocket (that bridges Signal’s notifications with the UnifiedPush provider). Both typically need a self-hosted server and specific configuration to talk to each other though. And I don’t even have any contacts that use Signal anymore, so, well…!
You can use push providers if you trust them. For example mozilla hosts one.
The MollySocket service also does not need and does not have decryption keys, only keys to request encrypted messages from signal servers. Still not something I would want to run on someone elses server without serious privacy considerations.
Yup, that’s why I use my own server to host both MollySocket and UnifiedPush (via NTFY).
NTFY can provide UnifiedPush? I didn’t know that!
Yes, you only need to ensure your instance of
ntfyallows public access to all items with theupprefix in the settings.Oh and then set your mobile app to enable UP in the settings of course!
That is correct.
However, this is a quasi-monopoly by google having quietly overwhelmed the space. Same thing for RCS messaging.
Neither push notifications nor RCS are proprietary, so there is a possibility to tear oneself from google here.
For instance, there are several free and paid push notifications services. Pushbullet is a popular paid one, not too expensive. I personally use https://ntfy.sh/, which can be self-hosted.
RCS is different because trusting the encryption keys makes RCS work, so there would have to be a critical mass of buy-in to use an alternative to google’s RCS implementation.
RCS is off-topic.
Regarding Push, there is UnifiedPush which has already seen a wide adoption, e.g. Matrix. That’s also the one used by Nfty. It’s free and opensource and can be used by anyone.
RCS is off-topic.
Disagree, it serves to illustrate the same kind of monopoly google has on push notifications.
UnifiedPush is not a push service, it is a distributor. It is a proxy for push services, it does not send out its own notifications.
Also, ntfy does not need to use unified push, it simply makes put or post notifications, like it does in the self-hosted version. The public instance of ntfy does use unified push, yes. For instance, I do not want my http push notifications flying around in plain text with notifications about my private services being up or down, so I don’t use one. I arrange the connectivity to my applications myself.
Here again, google has done us all a disservice by obscuring the difference.
I’m tired of having to correct people, but I will do it anyway.
Disagree, it serves to illustrate the same kind of monopoly google has one push notifications.
This is wrong. If you look up the definition for monopoly, you will realize it is false. At worst, it’s a duopoly. If we exclude Huaweii Push, etc.
UnifiedPush is not a push service, it is a distributor. It is a proxy for push services, it does not send out its own notifications.
That is also wrong. Idk how you got the idea of it being a “proxy”.
“UnifiedPush is a decentralized push notification system that lets you choose the service you want to use. It’s designed to be privacy-friendly, flexible, and open — making it perfect if you want control over your push notifications.”
