Push Notification Message end to end encryption

58 views
Skip to first unread message

Shameer

unread,
Apr 15, 2020, 6:23:05 AM4/15/20
to Aerogear
Recently, I have been asked by my colleague on whether push message is secured and encrypted with public key when delivered to Google or Apple. I didn't think about that before. I thought, SSL take care of security but the SSL ensures only the secure transport. I have browsed several resources, I could not find any clear details. 

Could you enlighten me on whether the push message send out from my Unified push server to push service provider (APN or FCM) is secured & encrypted ? 

If it is not encrypted then is there way to encrypt the message before sending it to push service provider ? (I understand that there should be some decryption logic at the client end).

Summers Pittman ℝ

unread,
Apr 15, 2020, 9:26:26 AM4/15/20
to Shameer, Aerogear
See inline.
Summers Pittman
>>Phone:404 941 4698
>>Java is my crack.



On Wed, Apr 15, 2020 at 6:23 AM Shameer <mailh...@gmail.com> wrote:
Recently, I have been asked by my colleague on whether push message is secured and encrypted with public key when delivered to Google or Apple. I didn't think about that before. I thought, SSL take care of security but the SSL ensures only the secure transport. I have browsed several resources, I could not find any clear details. 

Could you enlighten me on whether the push message send out from my Unified push server to push service provider (APN or FCM) is secured & encrypted ? 

Messages are delivered over https.  We don't modify your payload however.  This means that third parties can't spy on your message between UPS and the push service (ie FCM) but the push service (FCM) can read your payload data.
 

If it is not encrypted then is there way to encrypt the message before sending it to push service provider ? (I understand that there should be some decryption logic at the client end).

I would suggest that if you have data that needs to be encrypted, your push message should be used to signal your application to download the data securely from your services and not be delivered over push networks.

So let's say you are a doctor and you want to send a patient a reminder for their upcoming appointment.  Instead of encrypting the appointment object, sending it through push networks, and decryption being performed on the client, the push messages should be a "appointment reminder" event to the user.  The notification handler on the client device would receive this message and enqueue a job on the device to download the appointment information from the doctor's servers.  

The reason you want to schedule a job instead of performing the download is that push notifications should be handled very quickly and any follow up work should be scheduled by your operating system.  Android is a little more generous about this than iOS, but both will aggressively kill apps that take too long to process a push message.
 

--
You received this message because you are subscribed to the Google Groups "Aerogear" group.
To unsubscribe from this group and stop receiving emails from it, send an email to aerogear+u...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/aerogear/78787bf7-63b7-4bab-ae03-7c5c30d6edee%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages