Let me get this straight...
-
@Beachbum @wdormann if you do not want to be tracked/traced/placed, don’t bring a mobile phone in any way tied to you or your previous locations.
I worked in telco for years, trust me on this one.
The problem here was different: people who thought they were communicating privately, had their messages (or those that ended up in Apple’s notifications database on the iPhone) accessible to law enforcement. Even after (taking precautions like) deleting the app.
@avuko @wdormann That’s partly why I’m asking because I disable notifications as soon as I purchase a phone. Locating my phone is important because I misplace it a lot. My location services it’s also always off.
I have a degree in IT, but it goes back to 2006 and so much has changed since then and honestly, I only keep up through what I read here on Mastodon. I thought doing these things would secure my privacy. -
@Beachbum @wdormann if you do not want to be tracked/traced/placed, don’t bring a mobile phone in any way tied to you or your previous locations.
I worked in telco for years, trust me on this one.
The problem here was different: people who thought they were communicating privately, had their messages (or those that ended up in Apple’s notifications database on the iPhone) accessible to law enforcement. Even after (taking precautions like) deleting the app.
-
Let me get this straight...
The default setting for Signal on an iPhone allows law enforcement to see the content of all incoming messages, even after the app has been deleted?
@wdormann The default setting is that you get notified when you receive a message, because most people want those.
-
Let me get this straight...
The default setting for Signal on an iPhone allows law enforcement to see the content of all incoming messages, even after the app has been deleted?
@wdormann @mastodonmigration eh what?
On Android it just shows "you have a new message". Was this an Apple or a Signal decision?
-
Let me get this straight...
The default setting for Signal on an iPhone allows law enforcement to see the content of all incoming messages, even after the app has been deleted?
@wdormann Looks different here. But it’s Most probably the „Preview“ -Thing that causes Information to leak (to the OS which persists it unsecure)
-
@wdormann Looks different here. But it’s Most probably the „Preview“ -Thing that causes Information to leak (to the OS which persists it unsecure)
@lennybacon
The screenshot I shared is from the Signal app itself, in Settings.Not iPhone-wide settings.
-
@wdormann The default setting is that you get notified when you receive a message, because most people want those.
@prism
The default setting is that you get notified with the message contents -
@wdormann @Mer__edith I was unaware notifications on iOS were stored in an on-device database even after they had been dismissed. That seems like an inefficient waste of storage - does anybody have a link to some Apple docs providing context about this database?
@tdpsk @Mer__edith
The problem is that such content is not included in unencrypted backups. So we mortals can't even confirm this, as we don't have access to full-device exploit tools such as Cellebrite. -
@omnicore @wdormann @signalapp What I got from the article is what you said here: the weakness is in iPhone’s default behavior.
@grammasaurus @omnicore @signalapp
The screenshot I shared is from the Signal app itself, which chooses to include the message content in notifications.
So I'd say that both are at fault.
-
Let me get this straight...
The default setting for Signal on an iPhone allows law enforcement to see the content of all incoming messages, even after the app has been deleted?
-
Oh, but it's even worse than that. From TFA:
Authorities have turned to push notifications more broadly as an investigative strategy too; in June 404 Media reported Apple gave governments data on thousands of push notifications. Those were legal demands made to Apple, while the Prairieland case was about data from a device authorities had physical access to.
This suggests that your #notifications are sent home to #Apple. Why is that necessary?
I have further questions:
- Why, and for whose benefit, were notifications stored on the phone after the #Signal app had been removed? They were useless to the other of the phone.
- How much of this vulnerability is shared with Android phones?
Apple gave governments data on thousands of push notifications
Is open to wide interpretation. Did they give information about thousands of push notifications? (i.e. metadata) (e.g. the App that sent the notification and the timestamp, and potentially account info tied to the request)
If they gave the actual notification content, then that's a whole other scandalous animal. Extraordinary claims require extraordinary evidence, and whatnot.
-
Let me get this straight...
The default setting for Signal on an iPhone allows law enforcement to see the content of all incoming messages, even after the app has been deleted?
@wdormann switching my friends and family to signal was made easier because of settings like this. It behaves like a normal messaging app. None of them have a threat model that has them thinking of device seizure by law enforcement.
-
@thomasareed @Viss
I don't believe you, asthat setting(my screenshot) is within the Signal app itself.As such, if they wanted a different default value, they would have just released the software with the preferred setting.
-
@thomasareed @Viss
I don't believe you, asthat setting(my screenshot) is within the Signal app itself.As such, if they wanted a different default value, they would have just released the software with the preferred setting.
@wdormann @Viss Okay, whatever. “I don’t believe you” is a pretty rude response, as it implies I’m lying and that nothing changed in the years since I installed it. I do distinctly remember some kind of warning about Signal notifications from somewhere, though, so this is most definitely NOT new news.
-
@lennybacon
The screenshot I shared is from the Signal app itself, in Settings.Not iPhone-wide settings.
@wdormann Thanks. Looks the same in the app to me.
Probably the same but configured from the opposite side of things.
-
@prism
The default setting is that you get notified with the message contents -
@Mer__edith
Can we get a comment on this?1) The default Signal setting to show message contents in push notifications seems... bad, assuming this article is accurate.
2) Does changing the in-Signal-app setting for Notification Content indeed prevent notifications from being stored anywhere, which by default contains incoming message bodies.@Mer__edith
On the macOS side of things, we have confirmation that Signal notification contents get stored, even for disappearing messagesiOS sadly offers less visibility into what's going on. But the FBI probably appreciates that it's happening there too.
The default notification setting for Signal (on both iOS and macOS) ensures that potentially sensitive information leaks out of the Signal app. This is unfortunate.
-
@Mer__edith
Can we get a comment on this?1) The default Signal setting to show message contents in push notifications seems... bad, assuming this article is accurate.
2) Does changing the in-Signal-app setting for Notification Content indeed prevent notifications from being stored anywhere, which by default contains incoming message bodies.@wdormann @Mer__edith it should probably be changed but you also have to weigh this against how many people would try Signal, see that it lacks message previews, and go back to SMS.
-
@wdormann @mastodonmigration eh what?
On Android it just shows "you have a new message". Was this an Apple or a Signal decision?
@craignicol @wdormann @mastodonmigration On my Android it did show Name and message completely. Not sure if I have changed that setting myself in the past 8 years that I have been using Signal, or whether that is/was the default.
-
@craignicol @wdormann @mastodonmigration On my Android it did show Name and message completely. Not sure if I have changed that setting myself in the past 8 years that I have been using Signal, or whether that is/was the default.
@erwinrossen @wdormann @mastodonmigration hmm. Entirely possible the default has changed
