Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Metadata leak in push notifications #6772

Closed
chadyj opened this issue Nov 19, 2018 · 4 comments · Fixed by #7268
Closed

Metadata leak in push notifications #6772

chadyj opened this issue Nov 19, 2018 · 4 comments · Fixed by #7268
Assignees
@pedropombeiro
Labels
push-notifications

Comments

@chadyj
Copy link
Contributor

chadyj commented Nov 19, 2018
edited
Loading

Problem

Reported by @hesterbruikman:

If a message sender has their mobile OS language settings set to a supported language (e.g. Korean or Spanish) the notification of the recipient is shown in this language, regardless of the anguage the recipient has set in their OS. E.g. Jinho sends a message to Philio while Jinho's phone is set to Korean, Philip receives a notification in Korean while his phone is set to English.

Acceptance Criteria

Push notifications should not reveal metadata

cc @mandrigin @corpetty @rasom @pombeirp @corpetty
@pedropombeiro
Copy link
Contributor

This is yet another instance where we see it's better to rely on the data field for the payload instead of notification field (another being e.g. #3451). We should be sending a silent notification (only data filled in) and getting that to trigger an intent on our mobile app, which would be responsible for decoding the payload and actually displaying a localized message.

@chadyj
Copy link
Contributor Author

chadyj commented Nov 20, 2018

@pombeirp Thanks for taking a look. Will you be able to take this?
Looks like there is at least a quick fix here and perhaps a broader PN improvement?

@pedropombeiro pedropombeiro self-assigned this Nov 20, 2018
@pedropombeiro
Copy link
Contributor

I'll take a look and try to make it backward-compatible with older clients.

pedropombeiro pushed a commit to status-im/status-go that referenced this issue Nov 20, 2018
Change NotifyUsers to allow only data JSON element. Part of status-…
3a26758 
…im/status-mobile#6772
pedropombeiro pushed a commit to status-im/status-go that referenced this issue Nov 21, 2018
Change NotifyUsers to allow only data JSON element. Part of status-…
dff0961 
…im/status-mobile#6772
pedropombeiro pushed a commit to status-im/status-go that referenced this issue Nov 21, 2018
Change NotifyUsers to allow only data JSON element. Part of status-…
384a607 
…im/status-mobile#6772
pedropombeiro pushed a commit that referenced this issue Nov 26, 2018
Update PNs to use data-only messaging, and only encode/decode data va…
93e6795 
…lues. Fixes #6772
pedropombeiro pushed a commit that referenced this issue Nov 26, 2018
fixup! Update PNs to use data-only messaging, and only encode/decode …
24e2c91 
…data values. Fixes #6772
pedropombeiro pushed a commit to status-im/status-go that referenced this issue Nov 26, 2018
Change NotifyUsers to allow only data JSON element. Part of status-…
9457d8c 
…im/status-mobile#6772
pedropombeiro pushed a commit that referenced this issue Jan 7, 2019
Update PNs to use data-only messaging, and only encode/decode data va…
d64670a 
…lues. Fixes #6772
pedropombeiro pushed a commit that referenced this issue Jan 7, 2019
Anonymize PN pubkeys. Part of #6772
9e0f28a
pedropombeiro pushed a commit that referenced this issue Jan 8, 2019
Update PNs to use data-only messaging, and only encode/decode data va…
5520dfd 
…lues. Fixes #6772
pedropombeiro pushed a commit that referenced this issue Jan 8, 2019
Anonymize PN pubkeys. Part of #6772
f437980
pedropombeiro pushed a commit that referenced this issue Jan 9, 2019
Update PNs to use data-only messaging, and only encode/decode data va…
d64d65e 
…lues. Fixes #6772
pedropombeiro pushed a commit that referenced this issue Jan 9, 2019
Anonymize PN pubkeys. Part of #6772
42c72e7
cammellos added a commit to status-im/status-go that referenced this issue Jan 10, 2019
@cammellos
Revert "Change NotifyUsers to allow only data JSON element. Part of s…
61176d7 
…tatus-im/status-mobile#6772"

This reverts commit cddf2e1.
cammellos added a commit to status-im/status-go that referenced this issue Jan 10, 2019
@cammellos
Revert "Change NotifyUsers to allow only data JSON element. Part of s…
558689f 
…tatus-im/status-mobile#6772"

This reverts commit cddf2e1.
cammellos added a commit to status-im/status-go that referenced this issue Jan 10, 2019
@cammellos
Revert "Change NotifyUsers to allow only data JSON element. Part of s…
0c512ee 
…tatus-im/status-mobile#6772"

This reverts commit cddf2e1.
cammellos added a commit to status-im/status-go that referenced this issue Jan 10, 2019
@cammellos
Revert "Change NotifyUsers to allow only data JSON element. Part of s…
0c9bf35 
…tatus-im/status-mobile#6772"

This reverts commit cddf2e1.
rasom pushed a commit that referenced this issue Jan 11, 2019
@rasom
Update PNs to use data-only messaging, and only encode/decode data va…
664e9e7 
…lues. Fixes #6772
rasom pushed a commit that referenced this issue Jan 11, 2019
@rasom
Anonymize PN pubkeys. Part of #6772
d336b02
cammellos added a commit to status-im/status-go that referenced this issue Jan 14, 2019
@cammellos
Revert "Change NotifyUsers to allow only data JSON element. Part of s…
dcb0074 
…tatus-im/status-mobile#6772"

This reverts commit cddf2e1.
cammellos added a commit to status-im/status-go that referenced this issue Jan 14, 2019
@cammellos
Revert "Change NotifyUsers to allow only data JSON element. Part of s…
eab9e60 
…tatus-im/status-mobile#6772"

This reverts commit cddf2e1.
cammellos added a commit to status-im/status-go that referenced this issue Jan 14, 2019
@cammellos
Revert "Change NotifyUsers to allow only data JSON element. Part of s…
61bbbdd 
…tatus-im/status-mobile#6772" (#1347)

This reverts commit cddf2e1.
rasom pushed a commit that referenced this issue Jan 14, 2019
@rasom
Update PNs to use data-only messaging, and only encode/decode data va…
f854cf2 
…lues. Fixes #6772
rasom pushed a commit that referenced this issue Jan 14, 2019
@rasom
Anonymize PN pubkeys. Part of #6772
917afba
@rasom rasom mentioned this issue Jan 14, 2019
Merged
11 tasks
rasom pushed a commit that referenced this issue Jan 15, 2019
@rasom
Update PNs to use data-only messaging, and only encode/decode data va…
1df2523 
…lues. Fixes #6772

Fix navigation to chat when PN is tapped while signed off. Fixes #3488

Anonymize PN pubkeys. Part of #6772
rasom pushed a commit that referenced this issue Jan 15, 2019
@rasom
Update PNs to use data-only messaging, and only encode/decode data va…
ae1acf3 
…lues. Fixes #6772

Fix navigation to chat when PN is tapped while signed off. Fixes #3488

Anonymize PN pubkeys. Part of #6772
@pedropombeiro pedropombeiro mentioned this issue Jan 15, 2019
Merged
rasom pushed a commit that referenced this issue Jan 17, 2019
@rasom
Update PNs to use data-only messaging, and only encode/decode data va…
fe3d71c 
…lues. Fixes #6772

Fix navigation to chat when PN is tapped while signed off. Fixes #3488

Anonymize PN pubkeys. Part of #6772
rasom pushed a commit that referenced this issue Jan 17, 2019
@rasom
Update PNs to use data-only messaging, and only encode/decode data va…
5a69b41 
…lues. Fixes #6772

Fix navigation to chat when PN is tapped while signed off. Fixes #3488

Anonymize PN pubkeys. Part of #6772
pedropombeiro pushed a commit to status-im/status-go that referenced this issue Jan 17, 2019
Revert "Revert "Change NotifyUsers to allow only data JSON element.…
06fd760 
… Part of status-im/status-mobile#6772""

This reverts commit 0c9bf35.
cammellos added a commit to status-im/status-go that referenced this issue Jan 18, 2019
@cammellos
Revert "Change NotifyUsers to allow only data JSON element. Part of s…
e5088cd 
…tatus-im/status-mobile#6772" (#1347)

This reverts commit cddf2e1.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@pedropombeiro pedropombeiro

Labels
push-notifications
Projects
None yet
Milestone
No milestone
2 participants
@chadyj @pedropombeiro