Mattermost Platform

Greater protection for Mattermost message data on mobile devices

Push notifications are an important aspect of the Mattermost user experience on mobile. When important messages come in, many users like to be notified on their mobile devices so they can respond quickly. Mobile push notifications make it easier for users to stay informed or take faster action while on the go. 

When it comes to mobile data privacy, many organizations prioritize secure handling of messaging data, particularly when it may contain mission-critical or proprietary information. Some allow push notification services, as long as message contents are not revealed on the home screen of mobile devices where they could be read by people other than the intended recipient. 

However, other companies may have concerns about using mobile notifications at all because third-party entities may also have access to message content. 

On most messaging platforms, push notification content must pass through Apple Push Notification Service (APNS) or Google Firebase Cloud Messaging (FCM) before it reaches a device. This poses a potential security risk for organizations that operate under strict security and compliance requirements. As a result, some organizations choose to disable push notifications altogether. 

To solve this, we recently released a new feature in Mattermost 5.18 (E20 Edition) that offers greater security for mobile push notifications. Instead of sending the full content of the message in a notification payload, Mattermost sends only a unique message ID. Once the device receives the ID, it then fetches the message content directly from the server and displays the notification per usual. External entities, such as APNS and FCM, handle only the ID and are unable to read any part of the message itself. Users may experience a slight delay in sending or receiving messages due to the extra retrieval step. But they can rest assured that their message content remains private.

The diagram below shows how message contents are sent without the new ID-only feature:

And the next diagram shows the push notification flow using Mattermost’s ID-only feature:

Implementing the new feature is as easy as setting a toggle in the Mattermost admin console. 

If your organization has strict privacy or compliance needs, the new ID-only push notification setting offers a high level of privacy while still allowing your team members to benefit from mobile push notifications. 

Try these features by signing up for a free trial of Mattermost Enterprise Edition or read the push notification documentation in the Mattermost Administrator’s Guide to learn more. 

Mattermost is committed to giving users the best possible user experience while enabling their organizations to meet advanced privacy and compliance requirements. This new ID-only push notification feature will go a long way in helping both meet the challenges of messaging in a mobile environment.

Want help deploying Mattermost to help your team work remotely? Our team is offering free remote onboarding sessions via Zoom.


mm

John Thompson is a former solutions architect at Mattermost, Inc. Prior to joining Mattermost, John worked as a solutions architect and senior consultant at Microsoft, held several different consulting positions in IT, and served as an infrastructure and operations manager for Innocent. John graduated from the University of Leeds.