In a progressive move, Google has released a new open-source privacy library to allow developers to encrypt Android push notifications.
For some apps, especially financial apps and privacy-focused messengers like Signal and Telegram, push notifications can be a risk. Notifications can be visible on the lock screen or potentially even intercepted in public Wi-Fi.
Project Capillary makes it simple to both keep notification data secure through encryption, and even keep notifications hidden until the device is securely unlocked. In the announcement, Google makes it clear that the technology to do this has long been available, but not packaged together in an official, easy-to-use way.
One advantage to using an open-source security library is that it’s easy for experts to audit it for potential flaws. Also, being backed by a bigger company like Google, it’s likely that more of the “edge-cases” have been thought of, like “users adding/resetting device lock after installing the app.”
Some members of the development community have raised concerns about the type of encryption chosen for Capillary, but it seems that the decision was made based on maximum compatibility with older versions of Android. To that end, the library is compatible with all versions of Android dating back to KitKat, which make up 95% of Android devices in use today.
Overall, it’s a good step in the right direction for privacy and security, and hopefully more developers will begin to encrypt their app notifications as a result.