I have an open source public application that uses GCM push notifications. To register for push, the sender ID is placed into the source code. Is it OK for this sender ID to be exposed publicly? Is sender ID suppose to be kept private? Is there anything bad anyone can do with my sender ID if exposed?
It is fine to expose sender id because it has no meaning without serverkey.
A sender ID is not tied to a unique application package name. In fact, multiple apps can register to GCM using the same sender ID, which will allow the same API key to be used for sending GCM messages to all of these apps. Of course each app will have a different registration ID (even when on the same device).
If someone knows your sender ID, they can register to GCM with that sender ID, but without knowing the API key they won't be able to send GCM messages to either the fake app or the real app. When they register to GCM, GCM receives the package ID of their fake app. Therefore if you send a message to a registration ID of your real app, it won't reach the fake app.
leave it Protected and also try to keep the API key and as well as your server details.
More reference
1
This question stems from not knowing what each of these keys do. This information is relevant for Firebase Cloud Messaging, which replaced GCM.
FCM sender ID
The FCM Sender ID is actually the Firebase project number 😂. To check it yourself, you can compare project_info.project_number in google-services.json/ Firebase project settings page with the sender ID.
It is used by Android clients to identify which application (Firebase project) to register for FCM with, so it makes sense.
It is available in the google-services.json which is not sensitive.
The worst thing a user can do if they know your sender ID is they can register for push notifications from you.
FCM Server key
The FCM server key is sensitive, because it allows users to send push notifications to the devices which have registered.
Related
I am curious to know if there might be any conflicts when using a 3rd party library for push notifications (such as Parse in this case) along side a separate GCM implementation for the same app?
At startup I can see (by routing all broadcasts through the same receiver) that Parse receives a GCM registrationToken ("A") that is different from the registrationToken ("B") I receive when calling GoogleCloudMessaging.register(SENDER_ID) for my separate "GCM client implementation". Which is all good as long as I know for sure that Parse doesn't use regToken B somehow (depending on which broadcast message is sent first?).
Can I be sure that GoogleCloudMessaging.register(SENDER_ID) only returns the registrationToken connected to my SENDER_ID, and not accidentally to the default sender_id that Parse use for its registration since both registrations are initiated at startup?
Parse's GCM registration process is totally behind the scene. If you use a different sender ID, you might get a different registration ID. You can still use the registration ID for your own server, even Parse uses the same registration ID. From the GCM official documentation, it states Multiple parties can send messages to the same app with one common registration ID.
You do not need to supply a sender ID to Parse for GCM registration. You just need to register the required service and broadcast receivers in your Android manifest file. Please see this link for more information: https://parse.com/tutorials/android-push-notifications
For GCM, it needs sender id, registration id and application id etc to complete the registration process. For more information about GCM registration, please see this link: https://developer.android.com/google/gcm/gcm.html#register and this one about the manifest file in GCM: https://developer.android.com/google/gcm/client.html#manifest
I m using GCM(Google Cloud Messaging) service to send Push notifications to my android apps device. How many devices can i registered with SINGLE SENDER ID?
You can use any number of devices, as well as you can use same Sender ID for different applications.
From the docs: The sender ID is used in the registration process to identify a 3rd-party application server that is permitted to send messages to the device.
So,
Sender ID idenitifies your server.
Application ID identifies each app.
Registration ID identifies each device.
For more information visit http://developer.android.com/google/gcm/gcm.html
I have many application on android. And some users are share the same register ID. How can I specify and send the push notification to a specific app?
Different applications have different registration ids on the same device, so you shouldn't have any problem. What do you mean by users are share the same register ID? Do you mean users of the same application on the same device? That's the only case where they can share a registration ID.
Even if you use the same Google API project ID when you register the different Apps for Google Cloud Messaging, you'll still get a different registration ID for each app. I tested it.
If you cannot change the registration ID process to uniquely identify you applications (the best solution), you can send a payload with your GCM message and have your application ignore GCM messages without a specific payload.
Company creates a project and receives a sender ID. Company creates an app, bakes in its sender ID and places the app in the store.
Attacker reverse engineers the app and extracts both the sender ID and the server interface used to receive GCM registration IDs.
Attacker creates his own app, bakes in Company's sender ID and server registration interface, puts app in the store. The attack app basically impersonates Company's real app as far as GCM goes: it registers to receive messages from Company's sender ID and then sends its GCM registration ID to Company's servers just like the "real" app does.
Now Company wants to broadcast some information to all instances of its app. Maybe it's a reminder than an update is available. Is there any way to differentiate the "attack app" (which registered just like the real one) from "real" versions of the Company's app?
I think from your scenario it's not possible for the attacker to send a message to the user even if he has the registration id. The company server which sends the messages they need to authenticate (OAuth2) there account first through Google. So only if the attacker knows the password of the sending party and the registration id than it can send the user. But the password of the sending party of course is never send to the client side.
well, this might even work in a debug version of the attackers app, but he can not put his app in the store. part of the GCM identification is the app id which needs to be unique in the store.
The same problem could also have existed with C2DM, which you can sniff the sender email address, instead of project ID for GCM.
C2DM or GCM, should never be used to send sensitive user information (i.e. account name, private information, etc), it's mainly useful for notification, which the real app can use it to perform further actions.
I can't see how useful a notification can be to a 'fake/hack' app, what are they going to do with 'You have new message' notification?
The GCM Registration ID is requested by Google, requested from the app and submitted to your server. When someone with a different app (but the same sender ID) creates a Regid, it still has to be committed to the server, and you first have to explicitly send a message to that specific regid.
An app installation, whether legitimate or not, can never receive messages it is not authorised for. (Provided you declare and use the C2D_MESSAGE permission)
Actually, google let's you register a Server Key for GCM, which lets you White-List Server IP's...
So you should add your server IP and you would be safe, since only your server is allowed to send messages with that key.
GCM is safe in this case.
You even can't use your Sender ID in your original app before you register the app in GoogleApiConsole. This means you point private key fingerprint in GoogleApiConsole. It's enough.
I would suggest having your own "interim server" which uses the API key (sender ID as you referred to it). Instead of embedding it in the app itself.
To use C2DM for my application i registered new Gmail account with Google as a Sender account.
Now i am confused that how to get RegistrationID for my device and how to associate it with the Sender account. i want to install this application on multiple Andorid phones so do i need unique RegistrationID for each Android phone .
There are two sides to C2DM:
Your server stores registration IDs for the users. It requests n auth code from Google's servers (using ClientLogin) and then uses that auth code to send push messages.
Your Android app requests a registration ID from Google's servers. It is sent one over C2DM. It sends it to the server, to be stored there (so messages can be sent to it).
This tutorial describes it all in detail, with code:
http://www.vogella.de/articles/AndroidCloudToDeviceMessaging/article.html
A registration ID is like the address on a postal envelope - it describes where a push message is to be sent, the destination. So yes, you need one for each device. Registration IDs are actually assigned to a specific app (name space) on a specific device.
If you have added the boiler plate C2DM code from http://code.google.com/android/c2dm/ ,when the app registers, it will recieve a registration id , which you have to save it in a database on your server. The registration id can change so you have to notify the server, every time it changes.
To get the registraton id use
C2DMessaging.register(this, "email id");