iOS push notifications (APNS): some security considerations (opens in new tab)

(online24.nl)

32 pointsmichiel314y ago10 comments

10 comments

8 comments · 5 top-level

scootklein14y ago· 3 in thread

I believe the author just has a technical misunderstanding of the way APNS works. In no ways is APNS aware of accounts logged in or logged out of a service - all of this happens on the app developer's server backend. The author's case is properly laid out, but the fault is of the app developer rather than APNS. Developers should take note - this is indeed a valid race condition.

APNS is simply an exchange between a remote service (ex. Twitter) and an application that has registered for remote notifications (ex. Twitter app). APNS knows nothing more than the key that it provided to Twitter to identify this device in a remote push context.

there14y ago

And when an account is logged out, the app should be calling

   [[UIApplication sharedApplication] unregisterForRemoteNotifications];

which should unregister it from iOS, even if the network connection isn't available, right? If the call makes it back to Apple's servers, future push notifications shouldn't even get to the device, but even if they do, shouldn't iOS see that it's no longer valid for the application and not display it, bouncing it back to Apple's servers so the token will show up on their Feedback server? Unless I'm mistaken, unregistering for notifications will remove the application from the device's Notification Center settings.

idunno24614y ago

But the original owner still wants to receive push, so you shouldn't unregister. This isn't apple's problem, this is that the twitter app's server doesn't know they logged out and continues to send messages to the phone.

2 more replies

jobert14y ago

You're right -- this is not only a problem on Apple's side, both Apple and app developers can take measurements to prevent this from happening. On Apple's side this requires fundamental changes in their (un)subscribe mechanism, but that's not likely to happen soon. Therefor, an app developer can implement best practices to ensure this doesn't happen. For example, blocking the UI with an activity indicator until the app receives OK from the APNS when firing the unregister request.

rdg14y ago

That article is completely wrong from a technical perspective...

rohitnair14y ago

Also, not all apps have an explicit "delete account" option. I've experienced scenarios where I've received push notifications when I'm actually signed out of the app (I've seen this behavior on the Google+ and Airbnb apps, for instance) I guess it really is up to the application developer to send push notifications only for active sessions.

nextstep14y ago

Pretty easy fix for this: don't login on someone else's phone. In the hypothetical, the guy could just login to Twitter via Safari (using the web client). This is a full-featured solution, and you can logout like any web service when you're done.

webjunkie14y ago

Ugh, this guy got APNS wrong. An app never needs to register a device with Apple. It's not Apple who sends something, it's still the developer via APNS.

j / k navigate · click thread line to collapse