Menu
So, I was wondering, since users send their APNS tokens to the APNS provider in order to receive push notifications, should the tokens be encrypted? Is SSL necessary?
From what I figure is that there is no real sensitive data in the token. If someone actually managed to sniff the token from a user, he still would have to obtain my push certificate. And if he managed to do that (he won't ;-)) all he could do is send spam notifications to this particular user. Is that correct? Or did I miss something?
Also, I assume that it's not possible to identify a device (or more importantly, its user) based on an APNS token?
So, I want to assure that, if someone sniffs a push notification registration from one of my clients (the registration contains the APNS token and the information the user is interested in, and the connection is unencryped so everything is readable in plain text) ...
Can I rest assured? Thanks in advance!
645
iMessage makes extensive use of the Apple Push Notification service (APNs). Apple doesn't log the contents of messages or attachments, which are protected by end-to-end encryption so no one but the sender and receiver can access them. Apple can't decrypt the data.
Apple Push Notification service (APNs) must know the address of a user's device before it can send notifications to that device. This address takes the form of a device token unique to both the device and your app.
Apple tokens for Mobile Device Management like APNS certificates, DEP and VPP tokens need a renewal every 365 days. When an APNS certificate has expired you are forced to re-enroll all of your MDM managed apple devices.
0, HTTP/2 is the default protocol for connections to APNs. This means that all mobile device management (MDM) communication, such as remote commands, configuration profiles, applications, and push notifications, is handled by the HTTP/2 protocol.
SSL is almost never a BAD idea. Lack of SSL means your users will be susceptible to all sorts of nastiness like DNS poisoning, man in the middle, or sniffing.
Maybe you're worried about the cost of an SSL cert, or the overhead on your servers? I don't know - but I'm just sayin' - probably worth considering if you're getting paid to provide some service or are collecting personally identifiable information.
Otherwise your points in the post were pretty much right on. The fact is someone would need your push certificate to send out those messages to those users.
Also, I assume that it's not possible to identify a device (or more importantly, its user) based on an APNS token?
Prior to iOS 5, that ID was consistent across all apps - so aggregate stats companies were able to use the ID to identify a specific user somewhat... at least to know "this is the same person". But that changed recently, and it's now a random per-app ID.
178
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
