Nowadays push notifications are among top customer communication channels, but businesses are concerned that such messages are not secure when it comes to private customer data. Primarily these concerns relate to companies in financial, banking, healthcare, wellness, and fitness industries. They manage large volumes of sensitive data about their customers, and any loss of such data can have dire consequences.

Banks customers use websites and mobile apps to transfer money, see payment history, check balance, and subscribe for web and mobile push notifications to get notified of all transactions and any changes to their account. For banks it's necessary to provide top level security of such customer data, and big risks arise if they send such data via push notifications unencrypted.

Here's how regular push notifications work:

The message goes from the client to Google or Apple via Pushwoosh cloud infrastructure and then data is delivered to user’s device.

With regular push notifications, the content goes all the way through Apple Push Notification Service and Google's FCM, and then delivered to users devices. Push content is sent and stored as plain text, unencrypted, and therefore can potentially be read at any point in between. This doesn't seem to be a problem and works well for marketing push notifications like special offers, news, discounts, etc.

But when you add private customer data, like bank account statement, or customer's address, or doctor's appointment time, the message has to be encrypted. Pushwoosh provides Secure Push Messaging, allowing for end-to-end encryption of messages containing sensitive private information.

Here's how it works: customer's device generates a pair of encryption keys - a private key and a public key. The private key is stored securely on users device only, and the public key is sent to Pushwoosh. A company creates a push via API or in Pushwoosh Control Panel. Pushwoosh does all the business logic, and encrypts the message content using the public key it acquired. From that point, it can be decrypted only with a private key on the user's device, so we send it to APNs and FCM for delivery. Then a device gets an encrypted message delivered by Apple or Google and decrypts it with its private key before showing it to the user.

Push notifications are end-to-end encrypted

The Private Key, being in a single copy, never leaves the phone, and can't be intercepted by man-in-the-middle attacks. The Public Key makes way from the device to Pushwoosh and is used to encrypt the content, but can't be used to decrypt it back without the Private Key.

Pushwoosh Secure Push Messaging is:

  • compliant with HIPAA/HITECH, PCI-DSS, NIST, GDPR
  • uses RSA encryption
  • end-to-end data encryption (all third parties including Apple and Google can't read any data)
  • easy integration, reporting and statistics dashboard

Practical use cases for Secure Push Notifications from our customers include:

  • banks are sending encrypted transactional notifications with balance statement to customers after money withdrawal from ATMs,
  • medical care services & hospitals use secure push notifications to send medical test results to patients, and help them make appointments.

Request a demo of Secure Push Notifications to learn more about secure customer messaging solutions for banks, insurance & medical care services.