Warning push notifications on phone showing government surveillance

Wyden: Foreign Government Surveillance Takes Place Via Push Notifications

Senator Ron Wyden, one of the leading figures in the US government pushing for data privacy and security laws in the past several years, has written a letter to the Justice Department warning that foreign government surveillance of US citizens may routinely take place via push notifications on both Apple and Google devices.

Wyden says that he is acting on a tip received by his office last year indicating that both Apple and Google are complying with foreign government requests for data from push notifications. These are the notifications that appear on the lock screen when a device is idle, such as those for app updates or incoming email. With both of the “big two” mobile operating systems, these involve a “push token” being sent to the device that can collect potentially useful intelligence on the device owner.

Google, Apple potentially facilitating government surveillance via push data requests

Wyden says that foreign governments are able to demand records of push notifications from both Apple and Google, given somewhat vague language from the OS giants about how they protect and handle this particular type of information. In terms of utility for government surveillance, push notifications can gather up a number of useful bits of intelligence from metadata: apps that the user has installed, the Google or Apple account they use with the phone, and potentially even the text displayed in the notification (if it is not encrypted).

This data is logged by Google and Apple’s servers, and Wyden asserts the government surveillance aspect comes in when foreign governments demand this metadata from the tech giants. This can apparently happen in secret, unlike other types of information requests by governments that are disclosed to the public as part of either regulatory requirements or voluntary transparency efforts.

Wyden is asking the Justice Department to allow the OS manufacturers to disclose when they are compelled to cooperate in this way, to have them publish aggregate statistics to help determine when government surveillance may be taking place, and to notify specific customers when data from their push notifications is accessed (unless legally bound by a court order).

The senator did not specify which foreign nations might be engaging in this sort of government surveillance, or who they might be targeting. There are indications that the primary interest is in unmasking “pseudonymous” users of Apple and Google accounts, however, something that would be in line with documented surveillance of journalists and human rights workers by certain governments.

Push notifications an overlooked source of spy data

In addition to identifying account holders, governments may be vacuuming up this available data as part of ongoing “collect now hack later” efforts. The governments could receive encrypted text from push notifications with the intention of cracking it with developments in quantum computing expected in the next decade or so. In some cases these notifications could contain small portions of emails or text messages that contain personally identifiable information.

Apple has already responded to the letter by promising to add requests for push notifications to its regular transparency reports, starting with the next one issued, but also said that federal government regulations limits what it can share with the public. Google has not made any specific commitments, but issued a response saying that it shares the Senator’s commitment to keeping users informed about these requests and that its existing transparency reports have included requests for push notification records as part of aggregate published numbers.

Though Wyden’s focus appears to be primarily on foreign government surveillance, much of this information about push notifications comes from a recent search warrant filed in California. An FBI special agent requested metadata of this type from several Google accounts in connection with an NFT wire fraud and money laundering case involving a Baltimore outfit called “Baller Ape Club” that allegedly perpetuated a rug pull scam in 2021.

The letter notes that Google and Apple are in the unique position of running “digital post offices” that process all of these push notifications, specifically the Apple Push Notification Service and Google’s Firebase Cloud Messaging for Android devices. With these being the only two realistic options for a mobile phone operating systems, app developers essentially cannot avoid having push notifications pass through these outlets that are subject to government surveillance.

Concerns about push notifications are not limited to government surveillance, however. They have been a popular component of “malvertising” campaigns for years now, generally bundled with lookalike copies of popular apps that slip through app store defenses. Once installed, these bogus apps flood users with push notification ads to the point that they can overwhelm basic phone functions.

James McQuiggan, security awareness advocate at KnowBe4, notes that push notifications can also be used for more direct hacking attempts: “Cybercriminals continue to use phishing attacks with the added feature of utilizing push notifications. The cybercriminals have increased the attack vector and scale. It’s been uncovered they are using push notifications to millions of Apple and Google phone users, making it one of the most significant phishing attacks we’ve seen in recent years.

“Some considerations to protect against these types of attacks are to be cautious of push notifications, only download apps from trusted sources, and keep mobile devices and computers up to date to reduce the risk of a more significant breach. Avoid push notifications that ask you to click on links or download attachments. If a notification appears to come from a bank or retailer that is not recognizable, there is a likelihood it’s a phishing attempt. Only download apps from trusted sources, such as the App Store or Google Play, as this will reduce the risk that the apps could be malicious.  Keep your operating system and apps up to date and patch any known vulnerabilities that cybercriminals hackers could exploit. It’s always better to be safe than sorry, so have a healthy skepticism when receiving push notifications on smartphones or internet browsers,” advised McQuiggan.