Scenario: Suppose by reverse engineering a .apk file, an attacker obtains the SENDER ID for Push Registration Service used in an App. The attacker develops a similar fake application which has same/different package name and has been uploaded on a different app store than Google Play.
My question: Can he/she use the same SENDER ID with the app? What are the implications of that for the user who installs that fake application?
Related Questions: google cloud messaging security question seems to be a bit similar. Also answer of Android GCM: same sender id for more application question provides valuable information. Reading both the accepted answers the conclusion seems to be that it is absolutely possible and that's why it is recommended not to have sensitive data in Push Messages.
But that doesn't seem to be the solution to the problem. I am unable to understand the effect of the above security lapse.
A sender ID (aka Google API project ID) is not tied to a unique application package name. In fact, multiple apps can register to GCM using the same sender ID, which will allow the same API key to be used for sending GCM messages to all of these apps. Of course each app will have a different registration ID (even when on the same device).
If someone knows your sender ID, they can register to GCM with that sender ID, but without knowing the API key they won't be able to send GCM messages to either the fake app or the real app. When they register to GCM, GCM receives the package ID of their fake app. Therefore if you send a message to a registration ID of your real app, it won't reach the fake app. In order for the fake app to get messages from your server, it will need to send its own registration ID to your server and fool your server into believing it's the real app. In our server application you have to mention our API key. If you want to send any notifications its needed.
They will not be able to use your GCM Sender ID to publish notifications.
Remember that when you obtained the Sender ID, you have to also submit your application's package name and your release signing key's SHA-1 signature. That signature is bound to the GCM Sender ID so that only applications signed by your release key are able to register and receive GCM notifications.
Google Play will also not allow apps with duplicate package name to be published, so nobody can create a fake app with your package name that is already in the Play store.
However, nothing is 100% secured. I presume a hacker could also figure out your SHA-1 signing key and hack the APK in such a way to fool the system to think the app is signed by your release key. I have seen apps are 'cracked' this way to circumvent Android licensing library. This could potentially fool GCM server to think the fake app is authorized to receive GCM messages. However, the 'cracked' apps are still not allowed to be published to Google Play, so the risk of legitimate users getting it is quite small.
Related
I have apps on Android & iOS, & I need to send push-notifications to them from Java-server.
Please tell me, where can I find guides how to do this? I'm looking GCM & APN for Android.
https://firebase.google.com/
That is what I use for project and I am satisfied with it.
You have all needed tutorials and docs to start working with it.
Overview:
firebase provides You with Admin SDK wich helps You build Data and Notification messages and send it to firebase, firebase then sends it to either iOS or Android if You send it to specific client or to both if You send it to some created topic.
It also have easy to use Android, iOS, JavaScript libs to handle it on client-side.
ofc to get this work with Your server Client must generate notification token from provided google api and send it to Your server to store in DB.
there are some restriction though with push notifications 2kb if I remember correctly and 4kb for data messages keep it in mind when you create your communication architecture :)
I have an application that contains order data . I want to send this to all users of this app as notification.My target is to send Push Notifications to all of the users of my applications. How would I accomplish that?
To begin with your app mush already be using GCM and listening to the correct topic. Otherwise you have to roll out an update with the new GCM feature and hope that all users update it.
If you want to see some code for this take a look at this sample i crated some time ago. What you need to implement from the sample is the "SubscribeTopic" part. And to test if its working you can use this java program.
The good thing about topics is that you don’t need to save the users registration tokens and the message is sent to everyone listening for that exact topic.
Use Apache kafka
The original use case for Kafka was to be able to rebuild a user
activity tracking pipeline as a set of real-time publish-subscribe
feeds. This means site activity (page views, searches, or other
actions users may take) is published to central topics with one topic
per activity type. These feeds are available for subscription for a
range of use cases including real-time processing, real-time
monitoring, and loading into Hadoop or offline data warehousing
systems for offline processing and reporting.
To start with, note that a full GCM implementation requires both a client implementation and a server implementation. Before you can write client apps that use GCM, you must have an application server that meets the following criteria:
Able to communicate with your client.
Able to send properly formatted requests to the GCM connection
server.
Able to handle requests and resend them using exponential back-off.
Able to securely store the API key and client registration tokens.
Note: never include the API key in any client code.
For XMPP, the server must be able to generate message IDs to uniquely
identify each message it sends (GCM HTTP connection server generates
message IDs and returns them in the response). XMPP message IDs
should be unique per sender ID.
Complete documentation, how-to-guides for sending messages and links to examples can be found from Cloud Messaging - Messaging Concepts and Options.
You may also check ANDROID AND GCM – BROADCAST YOURSELF for the tutorial and demonstration on the use of GCM for the broadcast of messages to an Android client from a Tomcat server and use of sending broadcastintents from a service and receiving those broadcastintents from an app's activity.
I am building push notification server for android and web with third party java server. As we know to be a part of this scenario, corresponding android device should get a Registration id for GCM server and share it with third party java server.
Can we move this functionality to third party java server? Specifically, can we obtain a unique registration using third party java server and then assign it to corresponding android app?
can we obtain a unique registration using third party java server and then assign it to corresponding android app?
no, you can't. and actually it does not make any scene, because there are two options:
corresponding app == your app. if that's the case - then nothing stops you from maintaining regId for itself.
corresponding app != your app. it does no make any sense that google will allow any app to register any other app to receive GCM messages without the receiving app permission.
also I believe that what you have in mind is a common mistake:
GCM push != status bar Notification
when understanding that - you relize that it does not make any scense to register apps that not implemented integration with your server, because event if you could (and you can't) send other apps GCM messages - if they did not implemented a broadcast receiver or Service which handles your specific push parameters and trigger it to show notification or something, nothing will happened form itself.
No, that is not possible. Registration IDs are assigned to devices by GCM and there is no functionality to modify this process.
You could create a file on your server that generates a registration id whenever a device registers (But the device should not use GCM) and return it back afterwards. But to do this you also need to create your own "GCM like" library that would work for your server. Well, it may take a while but i think this is possible.
I wonder what are the ways/patterns to detect app uninstallation for any kind of analytics on android? I know the limitations of ACTION_PACKAGE_REMOVED intent - not received by application being removed. I am using flurry at the moment and have also discovered that they do not provide any kind of support for deinstallation events. This type of event is definitely something you want in your analytics but so far have not found any clear solution. Any ideas?
Here's a possible approach. In your Android app, implement support for receiving push messages from Google Cloud Messaging (GGM). Then, implement a server that sends GCM "are you there?" messages to all users at regular intervals (e.g. daily). Google's GCM service will notify your service of all targeted recipients which no longer have your app installed. To correlate uninstall data with other metrics such as app version, user demographics, date of installation, etc, collect that data in your app and supply it to your server when registering for GCM messages. Then when you get notified of an uninstall, match it with the installation data. From there, you could report it to a service like Google Analytics for additional slicing and dicing, graphical visualization, date range comparison, etc.
I currently have an small application that I have been using to learn java/android programming. Right now I have a setup were the app on one phone sends a request (via sms) to another phone running the same app. The remote phone receives the request and sends back some info. Next I would like to try this from the web. Is there an established "best" way to to this?
I was thinking I would have a web server send requests to the device via google cloud messaging and then have the device return the data directly to the web server. (Not that I really know how to do any of that just yet).
I see that there is a google cloud messaging return path (send messages from the device to the google cloud server, but it seems very new, do I need something like that? The main thing I want is to be able to ask the phone to do something when I want, not have it poll to see if there is a request, or just periodically update some status.
UPDATE:
Thanks to the answers below for confirming to me that I was on the right track.
I now have some basic functionality.
I started out using this gcm android demo code
https://code.google.com/p/gcm/source/browse/#git%2Fgcm-client%2Fsrc%2Fcom%2Fgoogle%2Fandroid%2Fgcm%2Fdemo%2Fapp%253Fstate%253Dclosed
and this ruby gem
https://github.com/spacialdb/gcm/blob/master/README.md
between the above two I was able to send a message to my phone pretty easily.
To get the round trip working, I setup a very simple rails app on heroku.
I included a modified version of the sample code in the gcm gem in a controller and then used
HttpPatch (needed for rails 4) to send a post/patch from my phone to my web app, the controller then echoes the message back to my phone.
I guess it would be nice to get the two way gcm stuff to work, but I am not sure there are any gems that handle that, and I am not qualified to handle a task like that :)
I would say it's the right call: Google Cloud Messaging for Android
From the site Android Developer:
This could be a lightweight message telling your app there is new data
to be fetched from the server (for instance, a movie uploaded by a
friend), or it could be a message containing up to 4kb of payload data
(so apps like instant messaging can consume the message directly).
In this case you don't want to fetch data from the server but you want to send them.
You can send them in different ways. I would suggest, since you are learning, to try a RESTful solution using one of the implementation of JAX-RS.
As a short and direct answer for beginner : GCM (Google Cloud Messaging) would solve your issue. However, if your app turned out to be something bigger, other more technical and complicated solutions are present too.
see this link.