Push Notifications
Push Notifications are primarily seen as a marketing or advertising tool. Another popular use is within chat applications; ensuring that subscribers keep up with current conversations.
They can be set to run from a website with deployment options including products that will integrate with WordPress or Shopify. Another route is through mobile applications. Push notifications are innately supported for developers within Android and Xcode for IOS. As with website based notifications various bodies offer services and plug-ins that allegedly take out much of the programming work. Web push notifications should require the browser to be open (malware might overcome that barrier) although not the specific website that serves the notification. Mobile based notifications do not require the linked App to be open although clicking on them will probably access the App; which might continue to run in the background without the user’s knowledge.
The benefit to a business of notifications over marketing emails is that the end user is not required to provide a valid email so might be more likely to sign up. It also avoids harvesting email data that is of limited value such as junk or throwaway email addresses. There will also be feedback on any interaction with notifications including the conversion rate to sales or clicks and the geolocation of users. A user does need to accept push notifications from a source although the authors will be doing their utmost to ensure that their service is accepted through promotions or enticements. Push notifications can be disabled by browsers, IOS and Android but only on a site by site basis.
Naturally there will always be someone trying to work the system for other means than promoting a legal service. Through clever social engineering or exploiting stolen personal data a scammer will encourage users to allow their notifications. In February 2024 MalwareTips reported a push notification host website that led to users receiving a large volume of unsolicited content even if the original browser had been closed. A simple means of monetising such content is through links with the original advertisers. The scammer receiving a small payment for each advert displayed. With compromised users and multiple advertisers these fees soon add up. A more worrying use case is to display links to other compromised or malware infected websites; either controlled by the scammer or providing them with a referral fee.
There are also privacy and data loss issues with the information gathered by these notifications. Developers can encrypt the stored data harvested but the associated metadata is not encrypted. This would include the name of the App receiving a notification, the timestamp and network details and the receiver’s location. Within mobile communications the data will also pass through the Apple Push Notification Service or Firebase Cloud Messaging (Android). This information could be transferred on to government agencies through requests that are legal within their jurisdiction and could be used for surveillance of individuals.
Although the risks from push notifications might be seen as limited so are their benefits. Kindus have described the issue of web browser privacy. This includes the option for incognito browsing which blocks browser notifications. It is still good practice to regularly check browsers and mobile devices for any notifications that have somehow been allowed even if all notifications have apparently been blocked.