A couple of weeks ago, news broke thatgovernments might be spying on push messagesdelivered through Apple���s push notification system or Google���s Firebase Cloud Messaging.

(hat tip to Prof. Matthew Green for raising awareness)

IMHO, governments are only part of the problem. Apple and Google can read your push messages.While both firms claim that messages are encrypted, that is only for ���data in motion���, as theyare sent over the Internet. Messages in their servers are unencrypted. Not only can they accessthe data, but they can hand it to whoever they want to, not just governments.

While the current focus is on ���Big Tech��� push message systems, the problem is more generalthan that. Any third-party data transport system has the same sort of problem. Serviceslike PubNub, Amazon SNS, Stream, and others that offer ���publish/subscribe���and similar sorts of message-based APIs are very useful, but generally their data is encryptedin motion and not at rest. Those firms can see your messages, as can anyone that thosefirms allow.

Roughly speaking, I see two main ways of addressing this.

The best is to not send anything of significance in the message itself. Use it asa trigger mechanism only. So, the message might contain some sort of verb identifyingwhat it wants the app to do, but nothing else. The app would then use other communicationsoptions (e.g., Web service calls) to do whatever it is the trigger is requesting. Thisallows you to focus on securing those other communications options, and you care lessabout spying on your messages.

The other is to encrypt your message payloads so that only the recipient can read them.This can work, but key management is a pain as always. IMHO, use this approach only ifthe messages do not require any other communications to be useful ��� if you are goingto have to make a Web service call anyway, there is little value in packing data intothe message itself.

Neither of these approaches help much with metadata. The message system providers (e.g., Google)and their favored partners (e.g., governments) can still examine which apps are getting messages,at what times and for what accounts (e.g., Google accounts). Theonly way to avoid that is to avoid using a message system provider, such as hosting yourown messaging server. That has its own problems (e.g., background process limits in Android).

Using a push message system provider often is unavoidable. Letting them have your data is avoidable,by encrypting that data or not having any meaningful data in the messages themselves.