Best IT Recipes

Google cloud messaging security

The company creates the project and receives the sender ID. The company creates the application, bakes the sender in its identifier, and places the application in the store.

The attacker calls the application engineers and retrieves both the sender ID and the server interface used to obtain the GCM registration identifiers.

The attacker creates his application, bakes the sender ID and the registration server interface, places the application in the store. The attack application basically personifies the actual company application with respect to GCM: it registers to receive messages from the sender ID of the company, and then sends its GCM registration ID to the company's servers, as the "real" application does.

Now the company wants to translate some information into all instances of its application. Perhaps this is a reminder than an update is available. Is there a way to distinguish an “attack application” (which is registered as real) from “real” versions of the Company application?

+11
android security google-cloud-messaging android-c2dm
Jul 05 2018-12-12T00:
source share
7 answers

The same problem could exist with C2DM, which you can sniff at the sender's email address rather than the project identifier for GCM.

C2DM or GCM should never be used to send confidential user information (for example, account name, confidential information, etc.), it is mainly useful for notifications that a real application can use to perform further actions.

I don’t see how useful the notification for the "fake / hack" application can be, what will they do with the notification "Do you have a new message"?

+1
Jul 06 '12 at 3:24
source share

I think that in your scenario, an attacker cannot send a message to the user, even if he has a registration ID. The company’s server that sends the messages they need for authentication (OAuth2) is first registered with Google. Thus, only if the attacker knows the password of the sending party and the registration ID, than he can send the user. But the sending party password, of course, is never sent to the client side.

+3
Jul 06 2018-12-12T00:
source share

well, it may even work in the debug version of an intruder application, but it cannot put his application in the store. Part of the GCM ID is the application ID, which must be unique in the repository.

+2
Jul 05 2018-12-21T00:
source share

The GCM registration ID is requested by Google, requested by the application and sent to your server. When someone with another application (but the same sender ID) creates Regid, he still needs to be bound to the server, and you first need to explicitly send a message to this specific reid.

Installing the application, regardless of whether it is legal or not, can never receive messages for which it is not allowed. (If you declare and use permission C2D_MESSAGE )

+1
Dec 02
source share

In fact, google allows you to register a server key for GCM, which allows you to use the IP addresses of the White-List Server ... Therefore, you must add your server IP address and you will be safe, since only your server can send messages with this the key.

0
Mar 31 '13 at 3:11
source share

In this case, GCM is safe.
You can’t even use your sender ID in your original application before registering the application with GoogleApiConsole. This means that you specify the fingerprint of the private key in the GoogleApiConsole. This is enough.

0
Dec 04 '13 at 10:09
source share

I would suggest having your own "intermediate server" that uses the API key (sender ID, as you called it). Instead of embedding it in the application itself.

0
Aug 12 '15 at 18:12
source share


More articles:


All Articles