{"id":"https://openalex.org/W4400685978","doi":"https://doi.org/10.56553/popets-2024-0151","title":"The Medium is the Message: How Secure Messaging Apps Leak Sensitive Data to Push Notification Services","display_name":"The Medium is the Message: How Secure Messaging Apps Leak Sensitive Data to Push Notification Services","publication_year":2024,"publication_date":"2024-07-16","ids":{"openalex":"https://openalex.org/W4400685978","doi":"https://doi.org/10.56553/popets-2024-0151"},"language":"en","primary_location":{"id":"doi:10.56553/popets-2024-0151","is_oa":true,"landing_page_url":"https://doi.org/10.56553/popets-2024-0151","pdf_url":"https://petsymposium.org/popets/2024/popets-2024-0151.pdf","source":{"id":"https://openalex.org/S4210183172","display_name":"Proceedings on Privacy Enhancing Technologies","issn_l":"2299-0984","issn":["2299-0984"],"is_oa":false,"is_in_doaj":false,"is_core":true,"host_organization":"https://openalex.org/P4310320322","host_organization_name":"De Gruyter Open","host_organization_lineage":["https://openalex.org/P4310320322","https://openalex.org/P4310313990"],"host_organization_lineage_names":["De Gruyter Open","De Gruyter"],"type":"journal"},"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Proceedings on Privacy Enhancing Technologies","raw_type":"journal-article"},"type":"article","indexed_in":["crossref"],"open_access":{"is_oa":true,"oa_status":"hybrid","oa_url":"https://petsymposium.org/popets/2024/popets-2024-0151.pdf","any_repository_has_fulltext":false},"authorships":[{"author_position":"first","author":{"id":"https://openalex.org/A5031972170","display_name":"Nikita Samarin","orcid":"https://orcid.org/0000-0001-7595-1079"},"institutions":[{"id":"https://openalex.org/I1297971548","display_name":"International Computer Science Institute","ror":"https://ror.org/01ewh7m12","country_code":"US","type":"nonprofit","lineage":["https://openalex.org/I1297971548"]},{"id":"https://openalex.org/I95457486","display_name":"University of California, Berkeley","ror":"https://ror.org/01an7q238","country_code":"US","type":"education","lineage":["https://openalex.org/I95457486"]}],"countries":["US"],"is_corresponding":true,"raw_author_name":"Nikita Samarin","raw_affiliation_strings":["University of California, Berkeley and International Computer Science Institute (ICSI)"],"affiliations":[{"raw_affiliation_string":"University of California, Berkeley and International Computer Science Institute (ICSI)","institution_ids":["https://openalex.org/I1297971548","https://openalex.org/I95457486"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5112659403","display_name":"Alex Sanchez","orcid":null},"institutions":[{"id":"https://openalex.org/I95457486","display_name":"University of California, Berkeley","ror":"https://ror.org/01an7q238","country_code":"US","type":"education","lineage":["https://openalex.org/I95457486"]}],"countries":["US"],"is_corresponding":false,"raw_author_name":"Alex Sanchez","raw_affiliation_strings":["University of California, Berkeley"],"affiliations":[{"raw_affiliation_string":"University of California, Berkeley","institution_ids":["https://openalex.org/I95457486"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5006601593","display_name":"Trinity Chung","orcid":null},"institutions":[{"id":"https://openalex.org/I95457486","display_name":"University of California, Berkeley","ror":"https://ror.org/01an7q238","country_code":"US","type":"education","lineage":["https://openalex.org/I95457486"]}],"countries":["US"],"is_corresponding":false,"raw_author_name":"Trinity Chung","raw_affiliation_strings":["University of California, Berkeley"],"affiliations":[{"raw_affiliation_string":"University of California, Berkeley","institution_ids":["https://openalex.org/I95457486"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5104602908","display_name":"Akshay Dan Bhavish Juleemun","orcid":null},"institutions":[{"id":"https://openalex.org/I95457486","display_name":"University of California, Berkeley","ror":"https://ror.org/01an7q238","country_code":"US","type":"education","lineage":["https://openalex.org/I95457486"]}],"countries":["US"],"is_corresponding":false,"raw_author_name":"Akshay Dan Bhavish Juleemun","raw_affiliation_strings":["University of California, Berkeley"],"affiliations":[{"raw_affiliation_string":"University of California, Berkeley","institution_ids":["https://openalex.org/I95457486"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5048115405","display_name":"Conor Gilsenan","orcid":null},"institutions":[{"id":"https://openalex.org/I95457486","display_name":"University of California, Berkeley","ror":"https://ror.org/01an7q238","country_code":"US","type":"education","lineage":["https://openalex.org/I95457486"]}],"countries":["US"],"is_corresponding":false,"raw_author_name":"Conor Gilsenan","raw_affiliation_strings":["University of California, Berkeley"],"affiliations":[{"raw_affiliation_string":"University of California, Berkeley","institution_ids":["https://openalex.org/I95457486"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5026428321","display_name":"Nick Merrill","orcid":"https://orcid.org/0000-0003-3669-1387"},"institutions":[{"id":"https://openalex.org/I95457486","display_name":"University of California, Berkeley","ror":"https://ror.org/01an7q238","country_code":"US","type":"education","lineage":["https://openalex.org/I95457486"]}],"countries":["US"],"is_corresponding":false,"raw_author_name":"Nick Merrill","raw_affiliation_strings":["University of California, Berkeley"],"affiliations":[{"raw_affiliation_string":"University of California, Berkeley","institution_ids":["https://openalex.org/I95457486"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5059746228","display_name":"Joel Reardon","orcid":"https://orcid.org/0000-0001-9702-775X"},"institutions":[{"id":"https://openalex.org/I168635309","display_name":"University of Calgary","ror":"https://ror.org/03yjb2x39","country_code":"CA","type":"education","lineage":["https://openalex.org/I168635309"]}],"countries":["CA"],"is_corresponding":false,"raw_author_name":"Joel Reardon","raw_affiliation_strings":["University of Calgary"],"affiliations":[{"raw_affiliation_string":"University of Calgary","institution_ids":["https://openalex.org/I168635309"]}]},{"author_position":"last","author":{"id":"https://openalex.org/A5000020874","display_name":"Serge Egelman","orcid":"https://orcid.org/0000-0003-2288-0785"},"institutions":[{"id":"https://openalex.org/I1297971548","display_name":"International Computer Science Institute","ror":"https://ror.org/01ewh7m12","country_code":"US","type":"nonprofit","lineage":["https://openalex.org/I1297971548"]},{"id":"https://openalex.org/I95457486","display_name":"University of California, Berkeley","ror":"https://ror.org/01an7q238","country_code":"US","type":"education","lineage":["https://openalex.org/I95457486"]}],"countries":["US"],"is_corresponding":false,"raw_author_name":"Serge Egelman","raw_affiliation_strings":["University of California, Berkeley and International Computer Science Institute (ICSI)"],"affiliations":[{"raw_affiliation_string":"University of California, Berkeley and International Computer Science Institute (ICSI)","institution_ids":["https://openalex.org/I1297971548","https://openalex.org/I95457486"]}]}],"institutions":[],"countries_distinct_count":2,"institutions_distinct_count":8,"corresponding_author_ids":["https://openalex.org/A5031972170"],"corresponding_institution_ids":["https://openalex.org/I1297971548","https://openalex.org/I95457486"],"apc_list":null,"apc_paid":null,"fwci":3.3066,"has_fulltext":true,"cited_by_count":3,"citation_normalized_percentile":{"value":0.92305262,"is_in_top_1_percent":false,"is_in_top_10_percent":true},"cited_by_percentile_year":{"min":95,"max":98},"biblio":{"volume":"2024","issue":"4","first_page":"967","last_page":"982"},"is_retracted":false,"is_paratext":false,"is_xpac":false,"primary_topic":{"id":"https://openalex.org/T11045","display_name":"Privacy, Security, and Data Protection","score":0.9805999994277954,"subfield":{"id":"https://openalex.org/subfields/3312","display_name":"Sociology and Political Science"},"field":{"id":"https://openalex.org/fields/33","display_name":"Social Sciences"},"domain":{"id":"https://openalex.org/domains/2","display_name":"Social Sciences"}},"topics":[{"id":"https://openalex.org/T11045","display_name":"Privacy, Security, and Data Protection","score":0.9805999994277954,"subfield":{"id":"https://openalex.org/subfields/3312","display_name":"Sociology and Political Science"},"field":{"id":"https://openalex.org/fields/33","display_name":"Social Sciences"},"domain":{"id":"https://openalex.org/domains/2","display_name":"Social Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/text-messaging","display_name":"Text messaging","score":0.6071107387542725},{"id":"https://openalex.org/keywords/short-message-service","display_name":"Short Message Service","score":0.5486416220664978},{"id":"https://openalex.org/keywords/computer-science","display_name":"Computer science","score":0.5382776856422424},{"id":"https://openalex.org/keywords/notification-system","display_name":"Notification system","score":0.47586625814437866},{"id":"https://openalex.org/keywords/message-broker","display_name":"Message broker","score":0.455637127161026},{"id":"https://openalex.org/keywords/push-technology","display_name":"Push technology","score":0.4489818513393402},{"id":"https://openalex.org/keywords/computer-security","display_name":"Computer security","score":0.3963807225227356},{"id":"https://openalex.org/keywords/internet-privacy","display_name":"Internet privacy","score":0.395815908908844},{"id":"https://openalex.org/keywords/computer-network","display_name":"Computer network","score":0.3300265371799469}],"concepts":[{"id":"https://openalex.org/C3018949938","wikidata":"https://www.wikidata.org/wiki/Q17166101","display_name":"Text messaging","level":2,"score":0.6071107387542725},{"id":"https://openalex.org/C74558129","wikidata":"https://www.wikidata.org/wiki/Q43024","display_name":"Short Message Service","level":2,"score":0.5486416220664978},{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.5382776856422424},{"id":"https://openalex.org/C2779011373","wikidata":"https://www.wikidata.org/wiki/Q3962191","display_name":"Notification system","level":2,"score":0.47586625814437866},{"id":"https://openalex.org/C179733262","wikidata":"https://www.wikidata.org/wiki/Q6821765","display_name":"Message broker","level":2,"score":0.455637127161026},{"id":"https://openalex.org/C180652500","wikidata":"https://www.wikidata.org/wiki/Q1351910","display_name":"Push technology","level":2,"score":0.4489818513393402},{"id":"https://openalex.org/C38652104","wikidata":"https://www.wikidata.org/wiki/Q3510521","display_name":"Computer security","level":1,"score":0.3963807225227356},{"id":"https://openalex.org/C108827166","wikidata":"https://www.wikidata.org/wiki/Q175975","display_name":"Internet privacy","level":1,"score":0.395815908908844},{"id":"https://openalex.org/C31258907","wikidata":"https://www.wikidata.org/wiki/Q1301371","display_name":"Computer network","level":1,"score":0.3300265371799469}],"mesh":[],"locations_count":1,"locations":[{"id":"doi:10.56553/popets-2024-0151","is_oa":true,"landing_page_url":"https://doi.org/10.56553/popets-2024-0151","pdf_url":"https://petsymposium.org/popets/2024/popets-2024-0151.pdf","source":{"id":"https://openalex.org/S4210183172","display_name":"Proceedings on Privacy Enhancing Technologies","issn_l":"2299-0984","issn":["2299-0984"],"is_oa":false,"is_in_doaj":false,"is_core":true,"host_organization":"https://openalex.org/P4310320322","host_organization_name":"De Gruyter Open","host_organization_lineage":["https://openalex.org/P4310320322","https://openalex.org/P4310313990"],"host_organization_lineage_names":["De Gruyter Open","De Gruyter"],"type":"journal"},"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Proceedings on Privacy Enhancing Technologies","raw_type":"journal-article"}],"best_oa_location":{"id":"doi:10.56553/popets-2024-0151","is_oa":true,"landing_page_url":"https://doi.org/10.56553/popets-2024-0151","pdf_url":"https://petsymposium.org/popets/2024/popets-2024-0151.pdf","source":{"id":"https://openalex.org/S4210183172","display_name":"Proceedings on Privacy Enhancing Technologies","issn_l":"2299-0984","issn":["2299-0984"],"is_oa":false,"is_in_doaj":false,"is_core":true,"host_organization":"https://openalex.org/P4310320322","host_organization_name":"De Gruyter Open","host_organization_lineage":["https://openalex.org/P4310320322","https://openalex.org/P4310313990"],"host_organization_lineage_names":["De Gruyter Open","De Gruyter"],"type":"journal"},"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Proceedings on Privacy Enhancing Technologies","raw_type":"journal-article"},"sustainable_development_goals":[{"id":"https://metadata.un.org/sdg/16","display_name":"Peace, Justice and strong institutions","score":0.4000000059604645}],"awards":[{"id":"https://openalex.org/G173227207","display_name":null,"funder_award_id":"KACST","funder_id":"https://openalex.org/F4320306076","funder_display_name":"National Science Foundation"},{"id":"https://openalex.org/G4133522132","display_name":"Collaborative Research: DASS: Developer Implementation of Privacy in Software Systems","funder_award_id":"2217771","funder_id":"https://openalex.org/F4320306076","funder_display_name":"National Science Foundation"},{"id":"https://openalex.org/G848032724","display_name":null,"funder_award_id":"Science","funder_id":"https://openalex.org/F4320306076","funder_display_name":"National Science Foundation"}],"funders":[{"id":"https://openalex.org/F4320306076","display_name":"National Science Foundation","ror":"https://ror.org/021nxhr62"},{"id":"https://openalex.org/F4320306192","display_name":"Silicon Valley Community Foundation","ror":"https://ror.org/001ader08"},{"id":"https://openalex.org/F4320322997","display_name":"King Abdulaziz City for Science and Technology","ror":"https://ror.org/05tdz6m39"},{"id":"https://openalex.org/F4320333609","display_name":"Center for Long-Term Cybersecurity, University of California Berkeley","ror":null},{"id":"https://openalex.org/F4320334593","display_name":"Natural Sciences and Engineering Research Council of Canada","ror":"https://ror.org/01h531d29"}],"has_content":{"pdf":true,"grobid_xml":true},"content_urls":{"pdf":"https://content.openalex.org/works/W4400685978.pdf","grobid_xml":"https://content.openalex.org/works/W4400685978.grobid-xml"},"referenced_works_count":0,"referenced_works":[],"related_works":["https://openalex.org/W4205192137","https://openalex.org/W1593714462","https://openalex.org/W1975167231","https://openalex.org/W2415891379","https://openalex.org/W1995415200","https://openalex.org/W2198062004","https://openalex.org/W4242104921","https://openalex.org/W2125189285","https://openalex.org/W2220880629","https://openalex.org/W2900214296"],"abstract_inverted_index":{"Like":[0],"most":[1],"modern":[2],"software,":[3],"secure":[4,41,63,194],"messaging":[5,42,64],"apps":[6,65,77,112,141],"rely":[7],"on":[8],"thirdparty":[9],"components":[10],"to":[11,32,52,56,71,127,144,149,163,180,184,190],"implement":[12],"important":[13],"app":[14],"functionality.":[15],"Although":[16],"this":[17,146,172],"practice":[18],"reduces":[19],"engineering":[20],"costs,":[21],"it":[22],"also":[23,138],"introduces":[24],"the":[25,67,80,114,121,157],"risk":[26],"of":[27,45,82,120,154],"inadvertent":[28],"privacy":[29,135,147],"breaches":[30],"due":[31],"misconfiguration":[33],"errors":[34],"or":[35,100,167],"incomplete":[36],"documentation.":[37],"Our":[38],"research":[39],"investigated":[40],"apps'":[43,134],"usage":[44],"Google's":[46],"Firebase":[47],"Cloud":[48],"Messaging":[49],"(FCM)":[50],"service":[51],"send":[53],"push":[54,83],"notifications":[55,84],"Android":[57],"devices.":[58],"We":[59,137,169],"analyzed":[60],"21":[61],"popular":[62],"from":[66],"Google":[68],"Play":[69],"Store":[70],"determine":[72],"what":[73],"personal":[74],"information":[75],"these":[76,89],"leak":[78],"in":[79,132],"payload":[81],"sent":[85],"via":[86],"FCM.":[87],"Of":[88,156],"apps,":[90],"11":[91],"leaked":[92,113,126],"metadata,":[93],"including":[94],"user":[95],"identifiers":[96],"(10":[97],"apps),":[98,104,109],"sender":[99],"recipient":[101],"names":[102],"(7":[103],"and":[105,187,195],"phone":[106],"numbers":[107],"(2":[108],"while":[110],"4":[111],"actual":[115],"message":[116],"content.":[117],"Furthermore,":[118],"none":[119,161],"data":[122],"we":[123,159],"observed":[124],"being":[125],"FCM":[128],"was":[129],"specifically":[130],"disclosed":[131],"those":[133],"disclosures.":[136],"found":[139],"several":[140],"employing":[142],"strategies":[143,158],"mitigate":[145],"leakage":[148],"FCM,":[150],"with":[151],"varying":[152],"levels":[153],"success.":[155],"identified,":[160],"appeared":[162],"be":[164,181],"common,":[165],"shared,":[166],"well-supported.":[168],"argue":[170],"that":[171],"is":[173],"fundamentally":[174],"an":[175],"economics":[176],"problem:":[177],"incentives":[178],"need":[179],"correctly":[182],"aligned":[183],"motivate":[185],"platforms":[186],"SDK":[188],"providers":[189],"make":[191],"their":[192],"systems":[193],"private":[196],"by":[197],"default.":[198]},"counts_by_year":[{"year":2026,"cited_by_count":1},{"year":2025,"cited_by_count":2}],"updated_date":"2026-04-13T07:58:08.660418","created_date":"2025-10-10T00:00:00"}