Volltext-Downloads (blau) und Frontdoor-Views (grau)

“You received $100,000 from Johnny”: A Mixed-Methods Study on Push Notification Security and Privacy in Android Apps

  • Push notifications are widely used in Android apps to show users timely and potentially sensitive information outside the apps’ regular user interface. Google’s default service for sending push notifications, Firebase Cloud Messaging (FCM), provides only transport layer security and does not offer app developers message protection schemes to prevent access or detect modifications by the push notification service provider or other intermediate systems.We present and discuss an in-depth mixed-methods study of push notification message security and privacy in Android apps. We statically analyze a representative set of 100,000 up-to-date and popular Android apps from Google Play to get an overview of push notification usage in the wild. In an in-depth follow-up analysis of 60 apps, we gain detailed insights into the leaked content and what some developers do to protect the messages. We find that (a) about half of the analyzed apps use push notifications, (b) about half of the in-depth analyzed messaging apps do not protect their push notifications, allowing access to sensitive data that jeopardizes users’ security and privacy and (c) the means of protection lack a standardized approach, manifesting in various developer-defined encryption schemes, custom protocols, or out-of-band communication methods. Our research highlights gaps in developer-centric security regarding appropriate technologies and supporting measures that researchers and platform providers should address.

Download full text files

Export metadata

Additional Services

Search Google Scholar Check availability

Statistics

Show usage statistics
Metadaten
Document Type:Article
Language:English
Author:Thomas Neteler, Sascha Fahl, Luigi Lo Iacono
Parent Title (English):IEEE Access
Volume:12
First Page:112499
Last Page:112516
ISSN:2169-3536
URN:urn:nbn:de:hbz:1044-opus-85473
DOI:https://doi.org/10.1109/ACCESS.2024.3439095
Publisher:IEEE
Publishing Institution:Hochschule Bonn-Rhein-Sieg
Date of first publication:2024/08/05
Copyright:2024 The Authors. This work is licensed under a Creative Commons Attribution 4.0 License.
Keyword:FCM; Push notifications; android; end-to-end security; intermediate systems
Departments, institutes and facilities:Fachbereich Informatik
Institut für Cyber Security & Privacy (ICSP)
Dewey Decimal Classification (DDC):0 Informatik, Informationswissenschaft, allgemeine Werke / 00 Informatik, Wissen, Systeme / 005 Computerprogrammierung, Programme, Daten
Open access funding:Hochschule Bonn-Rhein-Sieg / Publikationsfonds / Förderung durch den Publikationsfonds der H-BRS
Deutsche Forschungsgemeinschaft / DFG Förderung Open Access Publikationskosten 2023 - 2025
Entry in this database:2024/08/20
Licence (German):License LogoCreative Commons - CC BY - Namensnennung 4.0 International