US law enforcement can obtain push notification metadata from Apple and Google without a warrant, exposing user activity patterns to surveillance.
A WIRED investigation revealed that the FBI and other US law enforcement agencies have been requesting push notification metadata from Apple and Google as part of criminal investigations. This metadata — including which apps send notifications, timing, and associated account identifiers — can reveal detailed behavioral patterns without accessing message content. The practice has reportedly been used without requiring a warrant in some jurisdictions, raising Fourth Amendment concerns. The story surfaced alongside broader cybersecurity coverage including Iran-linked infrastructure attacks and Syria's cybersecurity vulnerabilities.
Every push notification your app sends creates a metadata record at Apple APNs or Google FCM tied to a device token and account identifier. Law enforcement can subpoena this without triggering your legal team — and you won't necessarily be notified. If your app handles sensitive user data (health, finance, legal, comms), your notification architecture is a silent data leak you've probably never audited.
Audit your app's push notification payload and frequency this week: strip any user-identifying content from notification bodies, switch to silent/background pushes where possible, and document what metadata your APNs/FCM implementation exposes per request.
Open your APNs or FCM implementation code and locate where device tokens are stored and transmitted
Tags
Also today
Signals by role
Also today
Tools mentioned