According to this docs when you create the client ids for the endpoints you need a web client id, an android id and the audience parameter set equal to the web client id. Now since in the app you need to use something like that:
String aud = MY_WEB_ID;
GoogleAccountCredential credential = GoogleAccountCredential.usingAudience(context, aud);
I don't understand how the android id is managed because it seems it's never used. I created the android id and in the cloud console I set the package name for the app so the android id is bounded to my app, but it's actually never used, or at least is used in the endpoint but the client never use it. I hope someone can clarify.
The Android ID will be used to identify your app to the backend and not the user itself who will call the endpoint.
The Android ID is related to the certificate which will be used to sign your app. So you will have to create a second Android ID when you want to put your app into the Google Play Store because you will sign your app with the release certificate.
There will be not need to use the Android ID itself in your code.
Related
I was inspecting a Cordova app which makes API Call to a free open REST API. In one of the POST Requests, it sends the Device Id in a JSON Object. The Device ID in the Cordova App is obtained using:
this.device.uuid;
I am planning to build the same app using Java and hence need to access that Device Id in order to make the API Call. I tried to do the same using the following code.
TelephonyManager tManager = (TelephonyManager)getSystemService(Context.TELEPHONY_SERVICE);
String uuid = tManager.getDeviceId();
But I realized I will need to access READ_PRIVILEGED_PHONE_STATE in Manifest file but that could only be accessed with System App and not a third party one. So how's this Cordova App accessing it?
P.S. - There are chances that this.device.uuid; of the Cordova App might not be returning what I am thinking. So, I will just show you the device Id of my phone by which you might be able to figure out what this is and how to access it in Android using Java.
Device Id the Cordova app is getting - 29904bc142b60dce (doesn't change)
The code I mentioned above has now been deprecated. Use the following code:
String device_id = Settings.Secure.getString(this.getContentResolver(), Settings.Secure.ANDROID_ID);
Also, After Android M; there is different Device ID for every other app. This is what I couldn't figure out and was beating my head over. The app that I developed had some other Device Id in comparison with the app I was comparing it with. So do not expect two different apps in the same device to have the same Device ID.
I am trying to implement app links into my app to make sure that other malicious apps cannot register for my URL.
I read the guide on app links here https://developer.android.com/training/app-links/verify-site-associations.html and I have mostly understood it. But one thing which is not clear to me is how can I prevent malicious apps from receiving my domain links if my app is not installed.
Consider this scenario.
1. My app is not installed on the user's device
2. Some malicious app is and it knows the URL that my app handles
Wouldn't this launch the malicious app and it can intercept my URL if the user selects that app from the disambiguation dialog? Is there any way to prevent it?
I understand that android:autoVerify="true" will trigger the domain verification when the app is installed, but what if the app is not installed?
Whether the user has the app installed or not, the "illegal" app won't be able to handle your links since it has not access to your domain in order to save there the needed JSON file. Am I clear?
There is a JSON file that is required during App Link configuration, that has to be uploaded to your server (that includes your app ID), through which your web-app basically says to the Android OS 'this is my counterpart on Android devices, I authorise it to handle these URLs'. Since app IDs are unique, there is no way another app can meet those conditions.
To quote the docs:
An Android App Link is a deep link based on your website URL that has
been verified to belong to your website.
So, although an app may register an <intent-filter> it ALSO has to be verified by the website whose URL it's trying to handle. And this happens on the server, so, out of the reach of a mobile client.
See also HERE for a more detailed explanation.
Scenario: Suppose by reverse engineering a .apk file, an attacker obtains the SENDER ID for Push Registration Service used in an App. The attacker develops a similar fake application which has same/different package name and has been uploaded on a different app store than Google Play.
My question: Can he/she use the same SENDER ID with the app? What are the implications of that for the user who installs that fake application?
Related Questions: google cloud messaging security question seems to be a bit similar. Also answer of Android GCM: same sender id for more application question provides valuable information. Reading both the accepted answers the conclusion seems to be that it is absolutely possible and that's why it is recommended not to have sensitive data in Push Messages.
But that doesn't seem to be the solution to the problem. I am unable to understand the effect of the above security lapse.
A sender ID (aka Google API project ID) is not tied to a unique application package name. In fact, multiple apps can register to GCM using the same sender ID, which will allow the same API key to be used for sending GCM messages to all of these apps. Of course each app will have a different registration ID (even when on the same device).
If someone knows your sender ID, they can register to GCM with that sender ID, but without knowing the API key they won't be able to send GCM messages to either the fake app or the real app. When they register to GCM, GCM receives the package ID of their fake app. Therefore if you send a message to a registration ID of your real app, it won't reach the fake app. In order for the fake app to get messages from your server, it will need to send its own registration ID to your server and fool your server into believing it's the real app. In our server application you have to mention our API key. If you want to send any notifications its needed.
They will not be able to use your GCM Sender ID to publish notifications.
Remember that when you obtained the Sender ID, you have to also submit your application's package name and your release signing key's SHA-1 signature. That signature is bound to the GCM Sender ID so that only applications signed by your release key are able to register and receive GCM notifications.
Google Play will also not allow apps with duplicate package name to be published, so nobody can create a fake app with your package name that is already in the Play store.
However, nothing is 100% secured. I presume a hacker could also figure out your SHA-1 signing key and hack the APK in such a way to fool the system to think the app is signed by your release key. I have seen apps are 'cracked' this way to circumvent Android licensing library. This could potentially fool GCM server to think the fake app is authorized to receive GCM messages. However, the 'cracked' apps are still not allowed to be published to Google Play, so the risk of legitimate users getting it is quite small.
I want to send emails from my app engine application using one of my Google Apps accounts. According to the GAE python docs:
The From: address can be the email address of a registered administrator (developer) of the application, the current user if signed in with Google Accounts, or any valid email receiving address for the app (that is, an address of the form string#appid.appspotmail.com).
So I created a user account on my Google Apps domain, no-reply#mydomain.com, to use for outbound email notifications. However, when I try to add the user as an administrator of the app, it fails with this error:
Unauthorized
You are not authorized to access this application
Is it possible to configure app engine to send emails using a Google Accounts email address?
You must restrict your App Engine app to a Google Apps domain upon initial registration of your App Engine application ID. Unfortunately, this setting can only be set during the initial registration of your app ID.
What you'll need to do is register another application ID, set your authentication option for Google Apps domain, and upload your existing app to the newly registered ID.
Simply going through the "Domain Setup" process in your Dashboard is not enough; you'll only be able to add the app as a service and "host" it using your domain name. To restrict the authorization to your domain only, you'll need to do the first step in the initial registration.
I had also problems adding administrators. In the end, I used a regular gmail account as the sender. Which only works if sending as *#googlemail.com. *.gmail.com fails.
I'm working on an app that communicates with Google App Engine to update and retrieve user information, but I can't think of a way to modify elements in the datastore.
For example, every user for my app is represented by a User object in the datastore. If this user inputs things like email, phone number, etc into fields inside the iPhone application, I want to be able to update those objects in the datastore. The datastore can be in Java or Python, I'm just looking for an idea that will work.
Thanks
Why not have the iPhone application communicate this information to app engine by making a simple HTTP request?
Specifically, I would do an HTTP POST to the server and include the relevant fields. Then your app engine request handler would simply store the information in the datastore.