The case was the first time authorities charged people for alleged “Antifa” activities after President Trump designated the umbrella term a terrorist organization.
Clever. Not much you can do for this except not subscribe your app to the notifications API, or take extra steps to attempt to clear them, but I don’t remember that being an option on iOS. Going to be an interesting fix.
This is for the client display only, and not the iOS API interface as I’m discussing. It’s not very plainly laid out in the docs, but one would assume any queuing of content into the notification system would be stored or cached if not cleared. There doesn’t seem to be a way to have a client of that system to clear it’s own data once it’s in there, just cancel last notification.
Correct - the notification API from the server is literally just a ping to inform it there’s something to fetch. The app itself fills the notification content. If you tell it to leave it blank there’s nothing cached outside the application storage.
Apps *can* let the server fill the entire notification content without waking the app, but that’s not how Signal works
Play Store version uses Google’s push/FCM but yeah even then it’s just the generic ping data they get as I understand it. Some may not even want them to have timestamps, so there’s solutions to that:
Can take it a step further grabbing the non-google APK on their website instead or using the hardened Signal fork named Molly. Both use a persistent WebSocket connection to Signal’s servers instead.
I imagine a similar exploit will work on Android devices, as well. Wouldn’t have considered it, but it may be a good idea to figure out how to disable the content from appearing in the Android notifs, too.
It’s not an exploit. It’s a built-in setting in Signal, and the Android options are identical to the one displayed above. You can turn off notification history in Android as well, so it has no stored record of cleared notifications at all.
Clever. Not much you can do for this except not subscribe your app to the notifications API, or take extra steps to attempt to clear them, but I don’t remember that being an option on iOS. Going to be an interesting fix.
On iOS, under Settings > Notifications > Notification Content
This is for the client display only, and not the iOS API interface as I’m discussing. It’s not very plainly laid out in the docs, but one would assume any queuing of content into the notification system would be stored or cached if not cleared. There doesn’t seem to be a way to have a client of that system to clear it’s own data once it’s in there, just cancel last notification.
I’m assuming that changes what it actually displays, but is there confirmation that those data dont enter the notification system on the back end?
On Android the setting is within the Signal app, so I assume it won’t leave the app and therefore won’t enter the notification system.
Correct - the notification API from the server is literally just a ping to inform it there’s something to fetch. The app itself fills the notification content. If you tell it to leave it blank there’s nothing cached outside the application storage.
Apps *can* let the server fill the entire notification content without waking the app, but that’s not how Signal works
Play Store version uses Google’s push/FCM but yeah even then it’s just the generic ping data they get as I understand it. Some may not even want them to have timestamps, so there’s solutions to that:
Can take it a step further grabbing the non-google APK on their website instead or using the hardened Signal fork named Molly. Both use a persistent WebSocket connection to Signal’s servers instead.
Thanks for taking the time to post a helpful instruction.
glad to know this setting is available
I imagine a similar exploit will work on Android devices, as well. Wouldn’t have considered it, but it may be a good idea to figure out how to disable the content from appearing in the Android notifs, too.
It’s not an exploit. It’s a built-in setting in Signal, and the Android options are identical to the one displayed above. You can turn off notification history in Android as well, so it has no stored record of cleared notifications at all.
deleted by creator
yeah, my first reaction was, “hmmm, clever…”