logoalt Hacker News

GeekyBeartoday at 7:54 PM2 repliesview on HN

> Oh, you did turn on disappearing messages? We send the messages in notifications. So the OS can keep them.

Worse than that, they did not take advantage of the ability to send that message data as an encrypted payload inside the notification.

https://blog.davidlibeau.fr/push-notifications-are-a-privacy...

Either do not include sensitive user data inside a notification by default, or encrypt that data before you send it to the notification server.

Replies

greysonptoday at 8:43 PM

Signal developer here. Our FCM and APN notifications are empty and just tell the app to wake up, fetch encrypted messages, decrypt them, and then generate the notification ourselves locally.

janfoehtoday at 8:34 PM

According to Michael Tsai, they did use encrypted notification payloads. The OS just then stores the decrypted payloads in its notification database. [0]

[0] https://mjtsai.com/blog/2026/04/10/notifications-privacy/