

iOS push notifications (APNS): some security considerations - michiel3
https://www.online24.nl/blog/ios-push-notification-apns-flaw/

======
scootklein
I believe the author just has a technical misunderstanding of the way APNS
works. In no ways is APNS aware of accounts logged in or logged out of a
service - all of this happens on the app developer's server backend. The
author's case is properly laid out, but the fault is of the app developer
rather than APNS. Developers should take note - this is indeed a valid race
condition.

APNS is simply an exchange between a remote service (ex. Twitter) and an
application that has registered for remote notifications (ex. Twitter app).
APNS knows nothing more than the key that it provided to Twitter to identify
this device in a remote push context.

~~~
there
And when an account is logged out, the app should be calling

    
    
       [[UIApplication sharedApplication] unregisterForRemoteNotifications];
    

which should unregister it from iOS, even if the network connection isn't
available, right? If the call makes it back to Apple's servers, future push
notifications shouldn't even get to the device, but even if they do, shouldn't
iOS see that it's no longer valid for the application and not display it,
bouncing it back to Apple's servers so the token will show up on their
Feedback server? Unless I'm mistaken, unregistering for notifications will
remove the application from the device's Notification Center settings.

~~~
idunno246
But the original owner still wants to receive push, so you shouldn't
unregister. This isn't apple's problem, this is that the twitter app's server
doesn't know they logged out and continues to send messages to the phone.

~~~
there
If you logged out of the application, it should unregister. It should only re-
register when you log back in (which would require communication with
Twitter's servers, which would update the APNS token to point to the correct
account). This is how I handle APNS tokens in my Pushover app.

~~~
seppo0010
I think you are missing the point. It is a multi-user app. The first user
didn't logout when the second login, both were logged in at the same time.

The _real_ solution is to wait for server acknowledge to delete the account
from the phone.

------
rdg
That article is completely wrong from a technical perspective...

------
rohitnair
Also, not all apps have an explicit "delete account" option. I've experienced
scenarios where I've received push notifications when I'm actually signed out
of the app (I've seen this behavior on the Google+ and Airbnb apps, for
instance) I guess it really is up to the application developer to send push
notifications only for active sessions.

------
nextstep
Pretty easy fix for this: don't login on someone else's phone. In the
hypothetical, the guy could just login to Twitter via Safari (using the web
client). This is a full-featured solution, and you can logout like any web
service when you're done.

------
webjunkie
Ugh, this guy got APNS wrong. An app never needs to register a device with
Apple. It's not Apple who sends something, it's still the developer via APNS.

