When user uses custom electrum server, make him aware that his addresses/txids sre still leaked to a Push Notificatinos serer #4806
Comments
|
For short time intervals, notifications can also be sent from the app locally (basically to itself), the first few minutes it sits in the background, if I recall correctly. It may also be possible to use scheduled UserNotifications to get the application to fetch a transaction's status from the chosen Electrum server after a certain time interval like 10 and 20 minutes; and if it was confirmed, then show a local notification. Less reliable than APNS, but if you care for privacy and set up an Electrum server, you don't want your transaction IDs to be sent to an untrusted server. At the very least, disable the sending of TXIDs to your server when 'push notifications' are turned off in the iOS settings. Because as far as I know, that only disables the 'receiving' of such notifications, but doesn't necessarily stop the app from sending TXIDs and addresses to your server. |
i thought thats how it works now, need to re-read that code to make sure. yes, if PNs are off new adrresses & txs should not be posted to GroundControl |
That's good to know; but as I said that would be the at very least behaviour; much better would be for that to happen when you set a custom Electrum server. Also needs some UI feedback so the user knows that stuff is not being sent to a server anymore. |
|
Any updates here @Overtorment? Were you able to find out if disabling push notifications still leaked Txid’s? |
|
If pn are off, nothing is sent to ground control.
…On Sun, 17 Jul 2022 at 16:43, satrinity402 ***@***.***> wrote:
Any updates here @Overtorment <https://github.com/Overtorment>? Were you
able to find out if disabling push notifications still leaked Txid’s?
—
Reply to this email directly, view it on GitHub
<#4806 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAJOLHLRVYGPVM7S3WWZQKLVUQLYJANCNFSM5ZITXPGQ>
.
You are receiving this because you were mentioned.Message ID:
***@***.***>
|
|
Cheers @ncoelho |
|
If I understand the architecture correctly, this sounds like two issues:
Turning off notifications in an iOs app will generally stop (2), though only if backend correctly monitors for that (otherwise they just don' get delivered, but still sent). (1) may be tricky to communicate to the user. Perhaps a checkbox "Do you also wish to disable transaction notifications?". That should then wipe existing addresses from the server too. Also, afaik Apple can't see what's in your messages. They're end to end encrypted to the device. They can however infer things from the timing. (Update: not encrypted by default it seems) More broadly, the problem with iOs (and Android?) push notifications is that they are very centralized by design. Everything goes through the Apple server and only the company that released the app can submit things to the Apple push notification server. Web sockets are much nicer from a privacy point of view, but unfortunately afaik they don't work for apps in the background. |
|
Just to bring more clarity on how this works. This is a feature disable by default (it is not possible to send notifications without the user consent, it is an OS level permission) that clear states what it does in case you choose to enable it. The data used in this feature is all public addresses. No xpubs are monitored.
A mitigation could be to remind the user when he changes the electrum server in case he has already opt in for this feature. But we don't know (nor we want to) if it is his personal server or not. |
|
also, nothing is ever sent to PN server until the user presses OK on this dialog box:
perhaps this message should be reworded to explicitly include a statement that PushNotifications mean that there is a PN server that needs to see your addresses to track them to actually send notifications |
@ncoelho i think we need your brilliance in making this work
or, quote:
The text was updated successfully, but these errors were encountered: