Man
Professional
- Messages
- 3,222
- Reaction score
- 810
- Points
- 113
Recently, a new type of surveillance of smartphone users has become known: through push notifications in iOS and Android. The Washington Post newspaper wrote, in particular, that the FBI has begun to use this tactic (article cache).
It is quite interesting how this tracking method works.
According to the investigation, in order to identify users, the FBI requests push notification data, so-called “push tokens”, from Apple and Google. This data can be requested without a warrant. With the help of push tokens, it is possible to identify a specific smartphone, and then request data about its owner from the company.
The intelligence agencies have reportedly been using this method since at least 2019. At that time, Apple and Google received court orders to hand over information about accounts identified by push tokens and associated with alleged supporters of an Islamic terrorist group.
But the general public only learned about this practice in December 2023. Then, during the investigation , it turned out that the Justice Department had banned Apple and Google from discussing this technique. Apparently because it is used in operational work. Therefore, technical comments should not be expected from these companies.
Unlike regular notifications, push notifications can wake up the phone and turn on the screen, making them useful for urgent calls in everyday use. Many apps offer this feature because it is a convenient way to stay “in the know” even when the screen is off. But it turns out that this feature threatens privacy and allows you to de-anonymize the user.
To send a push notification, the operating system requires the application to first create a token by which Apple and Google can find the device. These “push tokens” are then stored on Apple and Google servers.
But since the push token uniquely identifies the device, special services can also use it to find out the user's account and gain access to their confidential information.
You can send a push notification (and create a push token) without the user noticing it on iOS using the com.apple.developer.usernotifications.filtering permission.
According to the official documentation, to hide a notification, an empty UNNotificationContent object is created inside the didReceive(_:withContentHandler
method of our extension and passed to the content handler. The content should not have a title, subtitle, body, attachments, or sound. Example:
To hide a remotely sent notification, when sending a notification to the APNS server, you must set the header field apns-push-typeto alert. This way, the victim will not see the push notification and will not suspect that an investigation has been launched against them.
Apple's official documentation provides an example of how to send push notifications to all users who have crossed a physical border (see UNLocationNotificationTrigger). For example, inside a disaster zone. Logically, one can assume that Apple has information about all devices in a certain area. Accordingly, this information can also be obtained by law enforcement agencies, say, to compile a list of all participants in a mass event.
However, to compile such a list, you can also use a simpler method such as a regular fake base station (StingRay), which will register all mobile phones within its range.
Console for StingRay manufactured by Harris Corporation, source
The article tells about the use of push tokens by the FBI against various terrorists and people who have committed serious crimes. At the moment, more than 130 cases of push tokens being used with subsequent requests for personal information from Apple, Google, Facebook and other tech companies have been detected. It would seem that this is not so much. “But we all know how this ends,” writes the famous security expert Bruce Schneier.
“This is how every new surveillance method begins. The government says that it will only be used in the most extreme cases, and everyone supports it,” says Cooper Quintin, a technology expert from the Electronic Frontier Foundation.
But eventually, the scope of the technology will expand sooner or later. This can happen in different ways. Maybe one day the state attorney general decides to use it for a wider range of criminals.
Even if you completely trust the government and intelligence agencies in the use of a certain technology at the moment, you never know what a new administration will do with it in a year or several years.
Therefore, whenever any new surveillance technology emerges, it is always reasonable to assume that it can and will be used in less than ethical ways, including against law-abiding citizens.
Source
It is quite interesting how this tracking method works.
According to the investigation, in order to identify users, the FBI requests push notification data, so-called “push tokens”, from Apple and Google. This data can be requested without a warrant. With the help of push tokens, it is possible to identify a specific smartphone, and then request data about its owner from the company.
The intelligence agencies have reportedly been using this method since at least 2019. At that time, Apple and Google received court orders to hand over information about accounts identified by push tokens and associated with alleged supporters of an Islamic terrorist group.
But the general public only learned about this practice in December 2023. Then, during the investigation , it turned out that the Justice Department had banned Apple and Google from discussing this technique. Apparently because it is used in operational work. Therefore, technical comments should not be expected from these companies.
Push tokens
Unlike regular notifications, push notifications can wake up the phone and turn on the screen, making them useful for urgent calls in everyday use. Many apps offer this feature because it is a convenient way to stay “in the know” even when the screen is off. But it turns out that this feature threatens privacy and allows you to de-anonymize the user.
To send a push notification, the operating system requires the application to first create a token by which Apple and Google can find the device. These “push tokens” are then stored on Apple and Google servers.
But since the push token uniquely identifies the device, special services can also use it to find out the user's account and gain access to their confidential information.
You can send a push notification (and create a push token) without the user noticing it on iOS using the com.apple.developer.usernotifications.filtering permission.
According to the official documentation, to hide a notification, an empty UNNotificationContent object is created inside the didReceive(_:withContentHandler
method of our extension and passed to the content handler. The content should not have a title, subtitle, body, attachments, or sound. Example:
Code:
override func didReceive(_ request: UNNotificationRequest, withContentHandler contentHandler: @escaping (UNNotificationContent) -> Void) {
// Determine whether you should suppress the notification.
let suppress = myShouldSuppressNotification(request: request)
if suppress {
// Don't deliver the notification to the user.
contentHandler(UNNotificationContent())
} else {
// Deliver the notification.
guard let updatedContent = request.content.mutableCopy() as? UNMutableNotificationContent else {
// This error should never occur.
fatalError("Unable to create a mutable copy of the content")
}
// Update the notification's content, such as decrypting the body, here.
contentHandler(updatedContent)
}
}To hide a remotely sent notification, when sending a notification to the APNS server, you must set the header field apns-push-typeto alert. This way, the victim will not see the push notification and will not suspect that an investigation has been launched against them.
Apple's official documentation provides an example of how to send push notifications to all users who have crossed a physical border (see UNLocationNotificationTrigger). For example, inside a disaster zone. Logically, one can assume that Apple has information about all devices in a certain area. Accordingly, this information can also be obtained by law enforcement agencies, say, to compile a list of all participants in a mass event.
However, to compile such a list, you can also use a simpler method such as a regular fake base station (StingRay), which will register all mobile phones within its range.
Console for StingRay manufactured by Harris Corporation, source
Risks of using new technology
The article tells about the use of push tokens by the FBI against various terrorists and people who have committed serious crimes. At the moment, more than 130 cases of push tokens being used with subsequent requests for personal information from Apple, Google, Facebook and other tech companies have been detected. It would seem that this is not so much. “But we all know how this ends,” writes the famous security expert Bruce Schneier.
“This is how every new surveillance method begins. The government says that it will only be used in the most extreme cases, and everyone supports it,” says Cooper Quintin, a technology expert from the Electronic Frontier Foundation.
But eventually, the scope of the technology will expand sooner or later. This can happen in different ways. Maybe one day the state attorney general decides to use it for a wider range of criminals.
Even if you completely trust the government and intelligence agencies in the use of a certain technology at the moment, you never know what a new administration will do with it in a year or several years.
Therefore, whenever any new surveillance technology emerges, it is always reasonable to assume that it can and will be used in less than ethical ways, including against law-abiding citizens.
Source
