Now something related to the previous Signal post.
Usually someone needs physical access to your phone to see your data, however that is not usually needed.
FCM Tokens for Surveillance
Nowadays many governments request push notification records from Apple and google for their investigations. You don’t need to be a criminal to be targeted, just ask UK people.
The US government specially has been building a gigantic surveillance machine that gathers many data points and metadata not only from US citizens but from the whole world, and this includes push notification data from all phones.
All applications (even Signal) use push notifications, so we are all fucked.
When you install Signal and grant notification permissions on your phone, GMS registers your devices with FCM, which produces a unique FCM registration token (like a delivery address for your device-app account combination). This token is sent to Signal’s servers so they know where to your wake-up pings, all of this is normal.
The shady part is that Google also stores its own copy of this mapping. This FCM token belongs to this Google account, on this device, identified by its Android ID and hardware identifiers. In other words, from that moment on, every single Signal notification delivery event creates a log entry at Google’s infrastructure: the target FCM token, Signal’s app identifier (org.thoughtcrime.securesms), and a delivery timestamp.
Usually for “normal” applications, the text message content of the notification is also stored in Google’s servers, but in the case of Signal, only data-only FCM messages with empty payloads. Google doesn’t need the whole message content to track you, they know you got a message, time, etc. It’s all about metadata.
The deanonymization chain works like this. Law enforcement identifies a person of interest who uses Signal under an anonymous account. They have a device identifier, or an app usage pattern, or a tip pointing to a specific FCM token. With a court order to Google, law enforcement now has the full token mapping. The FCM token resolves to a Google account. The Google account resolves to a real identity through payment records, a recovery phone number, a recovery email, or simply the name the account was registered under. The “anonymous” Signal user is now a named individual with a timestamped history of when they received Signal messages (not the messages though, but you are not anonymous).
None of this requires accessing the target’s device. None of it requires breaking Signal’s encryption. It is purely a metadata problem, and the metadata lives at Google, and people had been killed by metadata.
Do Not Enable Notifications?
The token exists the moment you grant notification permission…
In Signal’s case, the FCM token is generated and registered with Google’s infrastructure the first time GMS processes a notification registration from Signal, which happens as soon as Signal is installed and you grant notification permissions. You do not need to receive any messages. You do not need to send any. The token exists at Google from the moment Signal’s FCM registration call completes. Every notification delivery after that adds a timestamped record to Google’s logs.
This is not a Signal-specific problem. Every app on your Android device that uses FCM (which is most of them if not all) generates a token that Google holds and maps to your Google account.
Silent Push: When Your Phone Gets Pinged to Reveal Your Location
Beyond the FCM surveillance trail, governments send a silent push notification, which is a high-priority FCM data message with no notification payload and no visible content (can be sent to any device with a valid FCM token). The device receives it, GMS wakes the target app via onMessageReceived(), and the app does whatever it is coded to do in response. Nothing appears on your screen. No banner, no sound, no badge. Your phone just quietly woke up in the background.
The surveillance value comes from what happens when the woken app makes a network connection. If the app connects to any server in response to the wake-up to check for updates, sync state, etc., and that server logs your device’s current IP address (which resolves to your location).
The silent push is used by:
- Marketing and analytics platforms. For example if an app is uninstalled the FCM token returns a
NOT_REGISTEREDerror, which means the device no longer has the app. - For law enforcement use, the path runs through an app developer. An investigator with a target’s FCM token and a court order compelling the app developer to cooperate can have the developer send a silent push to that specific token. The app wakes, connects to its servers, the server logs the IP. Alternatively, Google’s FCM infrastructure itself records connection events from the target device in response to the delivery, revealing the IP to Google regardless of what the app does.
So, every Android app using FCM has the same structure: a token at Google, mapped to your account, generating a delivery log with every notification.
So Now What?
If using Signal, changing the notification content setting to “No Name or Content” to close off the device forensics threat. The string "Signal message" ends up in the database instead of sender names and message text. Anyone extracting that database finds nothing useful.
Still Google will have metadata though. Your FCM registration token exists at Google regardless of what your notification content setting says. Delivery timestamps are logged at Google regardless.
The only thing that removes the FCM token from Google’s records is never having registered with FCM in the first place.