We have an app that uses FCM (ex GCM) for push messaging and notification on Android devices.
We have an use case where the app won't have open access to Google Play Services as it will be deployed on a corporate network - well it is a "everything closed except fixed servers with fixed IP addresses and ports" firewall. Direct connection to these services will not be allowed, but we can provide our own http/s or socks proxy to access whatever we want.
To my latest knowledge and searches on SO, even if you specify a proxy on android, the proxy will only be used if your app is set up to use it (no problem), but Google Play Services and Firebase will just ignore the proxy setting.
Has this changed? Can Firebase/FCM/Google play services run through the proxy specified in Android? And if so, from which android version?
Thank you,
Nicolas
Here is the latest info from the firebase support (short answer: no)
"
Unfortunately, Firebase Cloud Messaging is currently not designed to support a Proxy and does not attempt to address all network conditions. An alternative is to whitelist FCM to not go through a proxy at all. You should whitelist all of the IP addresses in the IPv4 and IPv6 blocks listed in Google's ASN of 15169. For more information regarding FCM ports, please refer to this documentation.
https://firebase.google.com/docs/cloud-messaging/concept-options#ports_and_your_firewall
"
If any has ideas of workarounds, please feel free to share them :)
Thanks,
Nicolas
Related
My app has to receive push-notifications and right now am getting SERVICE_NOT_AVAILABLE after GoogleCloudMessaging.register() call.
My client has a strict firewall in his office and he doesn't have access to Google Play Services. I need to provide him a list of all URL's that Google Play services needs access to, so he can add it to white list.
So far there's only one url in my list: googleapis.com
I didn't find any information on this subject, so I will appreciate any help.
Looking at the documentation for GCM, it seems this is your answer:
Note: If your organization has a firewall that restricts the traffic to or from the Internet, you need to configure it to allow connectivity with GCM in order for your Android devices to receive messages. The ports to open are: 5228, 5229, and 5230. GCM typically only uses 5228, but it sometimes uses 5229 and 5230. GCM doesn't provide specific IPs, so you should allow your firewall to accept outgoing connections to all IP addresses contained in the IP blocks listed in Google's ASN of 15169.
Update with FCM
Official doc for firewall handling
Doing the interception of the requests of google services API, we can see the used hostname is : 1e100.net
And is described on google support : In October 2009, we started using a single domain name to identify our servers across all Google products, rather than use different product domains such as youtube.com, blogger.com, and google.com.
We have built an Android app which uses Firebase for user authentication. Our (large enterprise) client is planning to deploy it behind their firewall. During initial testing, the authentication stage fails whenever we are using their network. It does work on an open network.
I am trying to find out what firewall configuration is needed to use the firebase authentication API, but I cannot find anything in the docs. I know that the firewall allows port 80 and 443 for outgoing connections. I am assuming that no specific IPs are blacklisted. Ports 5228-5230 (which would be required for FCM) are not opened yet, as we are currently not using push notifications. I am wondering if this is the issue. However, all references I can find (usually inofficial ones on stackoverflow) insist that the firebase authentification happens via https and only 443 should be needed.
Is anyone able to verify this and perhaps provide the documentation which details this?
My app has to receive push-notifications and right now am getting SERVICE_NOT_AVAILABLE after GoogleCloudMessaging.register() call.
My client has a strict firewall in his office and he doesn't have access to Google Play Services. I need to provide him a list of all URL's that Google Play services needs access to, so he can add it to white list.
So far there's only one url in my list: googleapis.com
I didn't find any information on this subject, so I will appreciate any help.
Looking at the documentation for GCM, it seems this is your answer:
Note: If your organization has a firewall that restricts the traffic to or from the Internet, you need to configure it to allow connectivity with GCM in order for your Android devices to receive messages. The ports to open are: 5228, 5229, and 5230. GCM typically only uses 5228, but it sometimes uses 5229 and 5230. GCM doesn't provide specific IPs, so you should allow your firewall to accept outgoing connections to all IP addresses contained in the IP blocks listed in Google's ASN of 15169.
Update with FCM
Official doc for firewall handling
Doing the interception of the requests of google services API, we can see the used hostname is : 1e100.net
And is described on google support : In October 2009, we started using a single domain name to identify our servers across all Google products, rather than use different product domains such as youtube.com, blogger.com, and google.com.
Wonder if anyone here happen to know the ip range of google's gcm server (for android push notification)?
I need the information so that our network team can open the firewall port for our UAT environment for incoming UAT test.
I tried to lookup from developer.android.com/google/gcm/ but no luck.
Our network team refused to open all ip range from asn 15169 which is a rather huge list.
I think there is an existing question IP address for Google Cloud Messaging server and the person found out that those are not published by Google. I also tried to look for it once but couldn't find. I might be wrong but I am pretty sure they don't publish that. Maybe instead of using corporate wifi, you can use direct 3G or 4G data plan.
In a comment on why GCM is not giving push notification in android device? question someone has mentioned that He opened the ports 5258,29,30 and then he was able to receive the regId from GCM server behind firewall.
Also I think the answer by #Eran on Which port and protocol does Google Cloud Messaging (GCM) use? will be of help. It says:
The device accesses the GCM servers on ports 5228-5230. If your organization has a firewall that restricts the traffic to or from the Internet, you'll need to configure it to allow connectivity with GCM. The ports to open are: 5228, 5229, and 5230. GCM typically only uses 5228, but it sometimes uses 5229 and 5230. GCM doesn't provide specific IPs. It changes IPs frequently. We recommend against using ACLs but if you must use them, take a broad approach such as the method suggested in this support link.
This is relevant if your device is connected to the internet via WiFi.
Hope this helps a bit.
Update:
As per Mark Whitaker answer to a similar question here, he mentions that:
Newer versions of Android also fall back to port 443 if ports 5228-5230 are blocked by a firewall.
Although there doesn't seem to be an official list still.
To add to what Shobhit Puri already said, I've also tried to find the answer to this question to be able to poke the appropriate holes in my firewall and am extremely disappointed with Google after concluding that the IP address used for Google Cloud Messaging is not obtained using a DNS request, or are obtained using DNS requests that subvert the Always On VPN functionality in Android.
By using the Always On VPN function in later versions of Android, I made sure that all traffic went through one of my servers. This also allowed me to use that server as a DNS Resolver and by activating query logging and rebooting the phone I was able to get a list of all of the DNS requests that it makes. Then, with some scripting magic I checked all of them, but none of them resolved to the IP address(es) that show up in my firewall logs with outbound port 5228 drops.
This leads me to conclude that the IP addresses used for GCM are obtained using a method other than DNS, such as Google Play Store web traffic.
Edit (Solution?): After running a script through all of my firewall logs going back as far as I have them and pulling out all of the dstport 5228 entries, I've been able to compile a list of IP addresses that GCM has tried to connect to. I can't say that this is a complete list, it will likely change based on geographic location, but notice the pattern...
74.125.28.188
74.125.129.188
74.125.20.188
173.194.79.188
74.125.142.188
74.125.192.188
74.125.140.188
74.125.139.188
74.125.137.188
74.125.134.188
74.125.130.188
173.194.68.188
173.194.76.188
I've created a group for all of those IP addresses and have configured my firewall to use that for my GCM whitelist. I have also setup a report to check for any dstport 5228 drops to let me know if I ever need to revisit this.
There is a Google+ mobile application for Android. To receive all the information it must be using some API.
How I can retrieve this information from my phone and see from where this app is getting data? I'd love to access it myself and see how it works.
You are talking about "reverse engineering" a network protocol.
Full sniffing
Get a market enabled emulator: How to install Android Market App on the emulator?
Get a network sniffer: tcpdump, wireshark, ...
Start to sniff what's going over the wire
http://www.thoughtcrime.org/software/sslstrip/ - an ssl stripping proxy
Inject your ca: http://www.mcbsys.com/techblog/2010/12/android-certificates/
This should, in theory, enable you to sniff any https or plain text connection.
Already available APIs
I would not try to hijack the connection. There is already a contacts API, it's called xmpp. You should be able to use the talk integration to pull your friend list.
Future APIs
You may also want to sign up for the upcoming API.
UPDATE
It appears that the Android client uses (at least partially) XMPP. The regular client requires an open XMPP connection and you can see a "RealTimeChat" in your logcat. It looks like the connection is encrypted because you get a "TLS required" message (the client seems to go through the XMPP connection states). I'm not sure if that's used for client based posts or just for server push. You can see the open connections with the help of "netstat". The connection goes away when google plus terminates.
I'd thus expect the API to be really open once released (or rev.eng).
UPDATE 2 (06. Jul. 2011)
Hangout is build on XMPP/MUC+JINGLE (muc == multiuser chat, jingle is roughly a SIP alternative on top of XMPP). And yes, they'll release the the details of it :-)
UPDATE 3 (06. Jul. 2011)
Multiple XMPP components for gtalk/gplus have been revealed by reading the JS code. It also emphasizes that they have build a great deal of features on XMPP.
They haven't launched the API yet. If there is something you want to build on Google+, they encourage you to signup here: https://services.google.com/fb/forms/plusdevelopers/
The API hasn't been released yet. Heck, the product hasn't even been released yet. Thats like developing a video game for playstation 5.
Yes it is. Its coming "soon" read :: http://www.webpronews.com/api-coming-soon-for-google-plus-2011-07