Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

google cloud messaging security

Company creates a project and receives a sender ID. Company creates an app, bakes in its sender ID and places the app in the store.

Attacker reverse engineers the app and extracts both the sender ID and the server interface used to receive GCM registration IDs.

Attacker creates his own app, bakes in Company's sender ID and server registration interface, puts app in the store. The attack app basically impersonates Company's real app as far as GCM goes: it registers to receive messages from Company's sender ID and then sends its GCM registration ID to Company's servers just like the "real" app does.

Now Company wants to broadcast some information to all instances of its app. Maybe it's a reminder than an update is available. Is there any way to differentiate the "attack app" (which registered just like the real one) from "real" versions of the Company's app?

like image 318
jph Avatar asked Jul 05 '12 21:07

jph


1 Answers

I think from your scenario it's not possible for the attacker to send a message to the user even if he has the registration id. The company server which sends the messages they need to authenticate (OAuth2) there account first through Google. So only if the attacker knows the password of the sending party and the registration id than it can send the user. But the password of the sending party of course is never send to the client side.

like image 116
Raz Avatar answered Sep 30 '22 06:09

Raz