IEEE Access (Jan 2024)
“You Received $100,000 From Johnny”: A Mixed-Methods Study on Push Notification Security and Privacy in Android Apps
Abstract
Push notifications are widely used in Android apps to show users timely and potentially sensitive information outside the apps’ regular user interface. Google’s default service for sending push notifications, Firebase Cloud Messaging (FCM), provides only transport layer security and does not offer app developers message protection schemes to prevent access or detect modifications by the push notification service provider or other intermediate systems. We present and discuss an in-depth mixed-methods study of push notification message security and privacy in Android apps. We statically analyze a representative set of 100,000 up-to-date and popular Android apps from Google Play to get an overview of push notification usage in the wild. In an in-depth follow-up analysis of 60 apps, we gain detailed insights into the leaked content and what some developers do to protect the messages. We find that (a) about half of the analyzed apps use push notifications, (b) about half of the in-depth analyzed messaging apps do not protect their push notifications, allowing access to sensitive data that jeopardizes users’ security and privacy and (c) the means of protection lack a standardized approach, manifesting in various developer-defined encryption schemes, custom protocols, or out-of-band communication methods. Our research highlights gaps in developer-centric security regarding appropriate technologies and supporting measures that researchers and platform providers should address.
Keywords
