What problem does this paper attempt to address?

### What problem does this paper attempt to solve? This paper aims to explore and reveal the problem of how secure messaging applications inadvertently leak sensitive user data when using push notification services. Specifically, the research focuses on the following points: 1. **Privacy leakage issues in secure messaging applications**: - The paper points out that although modern software development relies on third - party components (such as SDKs) to implement important functions, thereby reducing development costs, this also introduces the risk of privacy leakage due to misconfiguration or incomplete documentation. - Researchers specifically focus on how secure messaging applications leak personal data when Google's Firebase Cloud Messaging (FCM) service sends push notifications on Android devices. 2. **Specific research questions**: - **RQ1**: What personal data do secure messaging applications send through Google's Firebase Cloud Messaging (FCM)? - **RQ2**: What strategies do application developers use to protect personal information from being disclosed to Google's FCM? - **RQ3**: Is the observed data - sharing behavior consistent with the privacy assurances made by the application in its public statements? 3. **Research background and motivation**: - With the increasing public concern about online communication monitoring, more and more users begin to use secure messaging applications to protect their communication privacy. - However, when implementing the push notification function, these applications may leak sensitive information due to the improper use of third - party SDKs. - Such leakage not only violates the privacy protection promised by the application but also may expose users to legal risks, especially when authoritarian regimes or other hostile forces use court orders to force companies to provide push notification records. 4. **Threat model**: - The research assumes that many Android application developers transmit sensitive information through established third - party push notification channels without realizing that this information is not properly protected. - For example, law enforcement agencies can request FCM push tokens related to the target device through legal procedures and ask Google to provide all information associated with this token, including the content and metadata of push notifications. 5. **Research methods**: - Researchers conduct static and dynamic analyses of 21 popular secure messaging applications to understand the data transmitted by these applications on the network. - When it is found that an application displays data in push notifications but does not obviously send it through the network, researchers use static analysis to understand the mitigation strategies it uses. - Compare the actual behavior of the application with its public statements to identify undisclosed data - sharing and potentially misleading data practices. ### Summary The core question of this paper is: **Are there privacy leakage risks when secure messaging applications use push notification services?** The research shows that more than half of the applications leak some personal information through FCM, and these leaks are not clearly stated in the application's privacy policy. In addition, although some applications adopt strategies to mitigate privacy leakage, the success rates of these strategies vary, and they lack universality and support.