iOS push notifications (APNS): some security considerations

I believe the author just has a technical misunderstanding of the way APNS works. In no ways is APNS aware of accounts logged in or logged out of a service - all of this happens on the app developer's server backend. The author's case is properly laid out, but the fault is of the app developer rather than APNS. Developers should take note - this is indeed a valid race condition.<p>APNS is simply an exchange between a remote service (ex. Twitter) and an application that has registered for remote notifications (ex. Twitter app). APNS knows nothing more than the key that it provided to Twitter to identify this device in a remote push context.

That article is completely wrong from a technical perspective...

Also, not all apps have an explicit "delete account" option. I've experienced scenarios where I've received push notifications when I'm actually signed out of the app (I've seen this behavior on the Google+ and Airbnb apps, for instance) I guess it really is up to the application developer to send push notifications only for active sessions.

Pretty easy fix for this: don't login on someone else's phone. In the hypothetical, the guy could just login to Twitter via Safari (using the web client). This is a full-featured solution, and you can logout like any web service when you're done.

Ugh, this guy got APNS wrong. An app never needs to register a device with Apple. It's not Apple who sends something, it's still the developer via APNS.