Marvin WFeb 5
Daniel Gultsch

The firebase-messaging library is supposed to provide developers with push notification capabilities. However, it includes many dependencies that add unwanted features like analytics and other "calling home" behaviors.

The recent vulnerability in Signal¹ reminded me to finally do something I've been planning for a while: removing that library and interfacing with Play Services directly.

https://codeberg.org/iNPUTmice/Conversations/commit/1abb22b542343642aacb4f7bd82f0bb2bc380ea4

1: https://github.com/signalapp/Signal-Android/issues/14556

remove firebase-messaging library and interface directly with play services · 1abb22b542

Conversations - Conversations is an open source XMPP/Jabber client for Android

Codeberg.org
Feb 5 at 8:56amWeb
Show threadDaniel GultschFeb 5

Funny thing is, interfacing directly with Google Play Services via Android IPC (Broadcast Intents) results in roughly the same amount of code as going through the library.

Why does Google want you to use their malware-infested library? Who knows...

Show threadHippo 🍉Feb 5
@daniel congratulations. Weeding out surveillanceware is indeed a neverending task by the look of it!
Show threadmethuselahFeb 5
@daniel how does it change the playstore app for layman?
Show threadAndrea PappacodaFeb 11
@daniel cool! I wouldn't call this a Signal vulnerability (I think no data is actually leaked), but nice heads up! There's really no reason to use a library for this, especially if the library is part of (dumpster) firebase
Show threadMatthias KirschnerFeb 14
@daniel
Thank you for taking care about this. I very much appreciate your work on this! #ilovefs