A system to segregate notification tokens for privacy protection

Privacy-focused notification system with end-to-end encrypted FCM token management.

Architecture

Android App → App Backend (8081) → Notification Backend (8080) → Firebase FCM

Privacy by Design: The app-backend acts as a zero-knowledge intermediary that cannot decrypt device tokens, ensuring organizational separation between user data and notification infrastructure.

Features

End-to-End Encrypted Notifications: RSA + AES hybrid encryption
Zero-Knowledge Intermediary: App-backend cannot decrypt tokens
Durable Storage: Exoscale SOS integration with automatic cleanup
Public Key Hash Namespacing: Prevents key collision in multi-tenant scenarios
Modern FCM API: Uses Firebase Cloud Messaging API v1

Quick Start

1. Generate RSA Keypair

# Generate private key
openssl genrsa -out private_key.pem 4096

# Generate public key from private key
openssl rsa -in private_key.pem -pubout -out public_key.pem

2. Deploy Keys

Android App: Replace demo-app/app/src/main/assets/public_key.pem
Notification Backend: Place private_key.pem in notification-backend/
Never commit private_key.pem to version control

3. Start Services

# Terminal 1: Start notification backend
cd notification-backend
go run main.go  # Runs on :8080

# Terminal 2: Start app backend  
cd app-backend
go run main.go  # Runs on :8081

4. Configure Firebase

See notification-backend/README.md for Firebase setup instructions.

Security Architecture

Hybrid Encryption Flow

Android App: Token → AES-256-GCM → RSA-4096(AES-key) → Base64 → Network
App Backend: Pass-through (zero-knowledge)
Notification Backend: Base64 → RSA-decrypt(AES-key) → AES-GCM-decrypt → Token → FCM

Privacy Guarantees

Zero-Knowledge Relay: App-backend cryptographically cannot access tokens
Just-in-Time Decryption: Tokens decrypted only when sending notifications
Memory Security: Keys wiped immediately after use
Private Key Isolation: Private key never leaves notification-backend
Per-Token Keys: Each token encrypted with unique AES key

Components

demo-app: Android FCM client with hybrid encryption
app-backend: Zero-knowledge intermediary service
notification-backend: FCM notification service with token decryption

See individual component READMEs for detailed setup and API documentation.

Name		Name	Last commit message	Last commit date
Latest commit History 65 Commits
.github/workflows		.github/workflows
app-backend		app-backend
demo-app		demo-app
notification-backend		notification-backend
systemd		systemd
.gitignore		.gitignore
CERTIFICATE_SECURITY.md		CERTIFICATE_SECURITY.md
DEPLOYMENT.md		DEPLOYMENT.md
EXOSCALE_SOS_SETUP.md		EXOSCALE_SOS_SETUP.md
LICENSE		LICENSE
Makefile		Makefile
README.md		README.md
RELEASES.md		RELEASES.md
USAGE.md		USAGE.md
demo_integration.go		demo_integration.go
integration_test.go		integration_test.go
public_key.pem		public_key.pem

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Repository files navigation

A system to segregate notification tokens for privacy protection

Architecture

Features

Quick Start

1. Generate RSA Keypair

2. Deploy Keys

3. Start Services

4. Configure Firebase

Security Architecture

Hybrid Encryption Flow

Privacy Guarantees

Components

About

Uh oh!

Releases 7

Packages

Languages

License

jeffallen/remote-notification

Folders and files

Latest commit

History

Repository files navigation

A system to segregate notification tokens for privacy protection

Architecture

Features

Quick Start

1. Generate RSA Keypair

2. Deploy Keys

3. Start Services

4. Configure Firebase

Security Architecture

Hybrid Encryption Flow

Privacy Guarantees

Components

About

Resources

License

Uh oh!

Stars

Watchers

Forks

Releases 7

Packages 0

Languages

Packages