US law enforcement can obtain push notification metadata from Apple and Google without a warrant, exposing user activity patterns to surveillance.
A WIRED investigation revealed that the FBI and other US law enforcement agencies have been requesting push notification metadata from Apple and Google as part of criminal investigations. This metadata — including which apps send notifications, timing, and associated account identifiers — can reveal detailed behavioral patterns without accessing message content. The practice has reportedly been used without requiring a warrant in some jurisdictions, raising Fourth Amendment concerns. The story surfaced alongside broader cybersecurity coverage including Iran-linked infrastructure attacks and Syria's cybersecurity vulnerabilities.
Every push notification your app sends creates a metadata record at Apple APNs or Google FCM tied to a device token and account identifier. Law enforcement can subpoena this without triggering your legal team — and you won't necessarily be notified. If your app handles sensitive user data (health, finance, legal, comms), your notification architecture is a silent data leak you've probably never audited.
Audit your app's push notification payload and frequency this week: strip any user-identifying content from notification bodies, switch to silent/background pushes where possible, and document what metadata your APNs/FCM implementation exposes per request.
Open your APNs or FCM implementation code and locate where device tokens are stored and transmitted
Tags
Signals by role
Tools mentioned