Best IT Recipes

What are the consequences of discovering a GCM SENDER ID?

Scenario: Assume that when reverse engineering a .apk file, an attacker obtains a SENDER ID for the Push registration service used in the application. An attacker develops a similar fake application with the same / different package name and uploads to another application store other than Google Play.

My question is: Can it use the same SENDER ID with the application? What are the implications of this for the user who installs this fake application?

Related Questions: Google Cloud Messaging protection seems to be a bit similar. Also Android GCM answer : the same sender ID for the add-on application provides valuable information. Reading both accepted answers concludes that this is absolutely possible, and therefore it is recommended that you do not have sensitive data in push messages.

But this does not seem to solve the problem. I cannot understand the effect of the above security breach.

+13
java android push-notification google-cloud-messaging
Aug 12 '13 at 20:39 on
source share
2 answers

The sender ID (aka the Google API project ID) is not tied to the unique name of the application package. In fact, multiple applications can register with GCM using the same sender identifier, which allows you to use the same API key to send GCM messages to all these applications. Of course, each application will have a different registration identifier (even on the same device).

If someone knows your sender ID, they can register with GCM with this sender ID, but without knowing the API key, they will not be able to send GCM messages to either a fake application or to a real application. When they register with GCM, GCM receives the package identifier of its fake application. Therefore, if you send a message to the registration identifier of your real application, it will not reach the fake application. For a fake application to receive messages from your server, it will need to send its own registration identifier to your server and trick your server into considering it to be a real application. In our server application, you must specify our API key. If you want to send all the necessary notifications.

+14
Aug 13 '13 at 18:01
source share

They will not be able to use your GCM sender ID to publish notifications.

Remember that when you receive the sender ID, you also need to send the name of your application package and the signature signature SHA-1. This signature is tied to the GCM sender ID, so only applications signed with your release key can register and receive GCM notifications.

Google Play will also not allow publishing publications with a double package name, so no one can create a fake application with the name of their package, which is already in the Play store.

However, nothing is 100% protected. I suggest that a hacker can also determine your SHA-1 signature key and crack the APK in such a way as to trick the system into thinking that the application is signed by your release key. I have seen that applications are β€œhacked” in such a way as to bypass the Android licensing library. This may prevent the GCM server from thinking that the fake application has the right to receive GCM messages. However, hacked applications still cannot be published on Google Play, so the risk of getting legitimate users is pretty small.

+1
Aug 13 '13 at 17:32
source share


More articles:


All Articles