We currently have a customer that wants us to implement push notifications to our app. The problem is that for this customer, security is really, really important…
I am not able to find any official documents, that state that the only way to send push a notification to an Android or iOS device via internet is the use of FCM / APNS.
Sadly, I don’t think that I can convince the decision makers to open ports to a Google / Apple service, if I can’t show them that this is a real necessity.
I know how push notifications work etc. and I myself know that it is necessary, but as I said, I need to convince some decision makers, so it would be really helpful if I could show them something official…
1
Well, there are third party services which offer push notification functionality and work over standard ports (443 / HTTPS). (Apple Push Notification Services requires non-standard port numbers 2195 and optionally 2196 to work). Case in point: Firebase offers iOS push notifications as well; for this, you need to upload your private key you’d normally use to communicate directly with Apple’s APNS server. But you’ll still be using a cloud service, of course, just a different one.
The fundamental reason for this limitation is that there’s only so much an app can do in the background; this is done to enforce low battery consumption. Push notifications are one way to wake up an app in the background and Apple and Google are intentionally limiting the options here. There are ways to have the app periodically poll a server for new content, but they won’t be as near real time as push notifications can be and they might be removed from or not admitted to the App Store / Play Store for this kind of behaviour.
In the end, the customer needs to decide if this feature is worth the hassle. A properly configured firewall should not pose a security risk in this scenario.
2