I have many application on android. And some users are share the same register ID. How can I specify and send the push notification to a specific app?
Different applications have different registration ids on the same device, so you shouldn't have any problem. What do you mean by users are share the same register ID? Do you mean users of the same application on the same device? That's the only case where they can share a registration ID.
Even if you use the same Google API project ID when you register the different Apps for Google Cloud Messaging, you'll still get a different registration ID for each app. I tested it.
If you cannot change the registration ID process to uniquely identify you applications (the best solution), you can send a payload with your GCM message and have your application ignore GCM messages without a specific payload.
Related
I have an open source public application that uses GCM push notifications. To register for push, the sender ID is placed into the source code. Is it OK for this sender ID to be exposed publicly? Is sender ID suppose to be kept private? Is there anything bad anyone can do with my sender ID if exposed?
It is fine to expose sender id because it has no meaning without serverkey.
A sender ID is not tied to a unique application package name. In fact, multiple apps can register to GCM using the same sender ID, which will allow the same API key to be used for sending GCM messages to all of these apps. Of course each app will have a different registration ID (even when on the same device).
If someone knows your sender ID, they can register to GCM with that sender ID, but without knowing the API key they won't be able to send GCM messages to either the fake app or the real app. When they register to GCM, GCM receives the package ID of their fake app. Therefore if you send a message to a registration ID of your real app, it won't reach the fake app.
leave it Protected and also try to keep the API key and as well as your server details.
More reference
1
This question stems from not knowing what each of these keys do. This information is relevant for Firebase Cloud Messaging, which replaced GCM.
FCM sender ID
The FCM Sender ID is actually the Firebase project number 😂. To check it yourself, you can compare project_info.project_number in google-services.json/ Firebase project settings page with the sender ID.
It is used by Android clients to identify which application (Firebase project) to register for FCM with, so it makes sense.
It is available in the google-services.json which is not sensitive.
The worst thing a user can do if they know your sender ID is they can register for push notifications from you.
FCM Server key
The FCM server key is sensitive, because it allows users to send push notifications to the devices which have registered.
I'm new in GCM. I would like to send an message to all devices that have the app installed. I read about registration_id: after the first connection to GCM, google send this unique string to device. I'm a beginner in server world but if I'm not mistaken, in server side, for sending a notification to devices I have to send array of registration_id and the message to google.
Google knows how has the registration id?
Is there a way to send messages to all devices without pass the registrarions id?
Thank you.
With GCM 3.0 it's now possible to send a notification to all devices thanks to topics support. The app must suscribe to one or more topics and the server can send notifications to that topic without specifying individual devices.
https://developers.google.com/cloud-messaging/topic-messaging
You can suscribe all devices to a topic called "global" and then send the message to "/topics/global" instead of sending them to all the registration_ids.
Is there a way to send messages to all devices without pass the registrarions id?
No way.
After successfully registering on GCM, you (the Android application) should send the registration id to your application server and store them somewhere, in a database for example. This registration id will be used to send a notification to a particular device.
To send a notification to all devices, would mean then to select all the registration ids from that database, and as you said, put them in an array and pass them further to GCM.
Update: With Firebase Cloud Messaging, it is now possible to use https://firebase.google.com/docs/cloud-messaging/android/topic-messaging to send notifications without explicitly specifying registration IDs.
You need to send the list of reg id of devices and also this list should not exceed 1000 this is a limitation of GCM if you want to send message to more than 1000 devices then you need to break the list in chunks of 1000.
YES, there is a way to send a message to all!
Just send in the 'to' field the '/topics/global' value, rather then in the 'registration_ids' field the ids.
For example in php:
'to' => "/topics/global",
and not this:
'registration_ids' => $this->devices
Create the notification_key, which identifies the device group by mapping a particular group to all of the group’s associated registration tokens(You can create notification keys on the app server).
With a notification_key , instead of sending one message to one registration token at a time, the app server can send one message to thenotification_key , and GCM then sends the message to all of the group’s registration tokens.
Also note that maximum number of members allowed for a notification_key is 20.
Google Dev site has added a new guide for this topic in particular.
https://developers.google.com/cloud-messaging/notifications#sending_downstream_messages_to_device_group
I think there is a confusion here. I had used the github sample code (app server in Java deployed to Tomcat for example) and Android app. There, I didn't "pass" or "send" any registration Id to the app server. It called the relevant APIs to retrieve the registration IDs and use them to send notifications. Why is every thread about GCM registration ID saying that one needs to pass registration IDs to 3rd party app server? I am afraid I don't agree. I think 3rd Party app server can query GCM server itself to find out which devices have registered to receive notification from a particular sender (sender id). Having to manually pass the registration IDs to 3rd party app server defeats the whole purpose of automating the process. Maybe I am missing something here or I am using the deprecated content. Anyway, how can an automated process involve manual intervention once it starts?
Company creates a project and receives a sender ID. Company creates an app, bakes in its sender ID and places the app in the store.
Attacker reverse engineers the app and extracts both the sender ID and the server interface used to receive GCM registration IDs.
Attacker creates his own app, bakes in Company's sender ID and server registration interface, puts app in the store. The attack app basically impersonates Company's real app as far as GCM goes: it registers to receive messages from Company's sender ID and then sends its GCM registration ID to Company's servers just like the "real" app does.
Now Company wants to broadcast some information to all instances of its app. Maybe it's a reminder than an update is available. Is there any way to differentiate the "attack app" (which registered just like the real one) from "real" versions of the Company's app?
I think from your scenario it's not possible for the attacker to send a message to the user even if he has the registration id. The company server which sends the messages they need to authenticate (OAuth2) there account first through Google. So only if the attacker knows the password of the sending party and the registration id than it can send the user. But the password of the sending party of course is never send to the client side.
well, this might even work in a debug version of the attackers app, but he can not put his app in the store. part of the GCM identification is the app id which needs to be unique in the store.
The same problem could also have existed with C2DM, which you can sniff the sender email address, instead of project ID for GCM.
C2DM or GCM, should never be used to send sensitive user information (i.e. account name, private information, etc), it's mainly useful for notification, which the real app can use it to perform further actions.
I can't see how useful a notification can be to a 'fake/hack' app, what are they going to do with 'You have new message' notification?
The GCM Registration ID is requested by Google, requested from the app and submitted to your server. When someone with a different app (but the same sender ID) creates a Regid, it still has to be committed to the server, and you first have to explicitly send a message to that specific regid.
An app installation, whether legitimate or not, can never receive messages it is not authorised for. (Provided you declare and use the C2D_MESSAGE permission)
Actually, google let's you register a Server Key for GCM, which lets you White-List Server IP's...
So you should add your server IP and you would be safe, since only your server is allowed to send messages with that key.
GCM is safe in this case.
You even can't use your Sender ID in your original app before you register the app in GoogleApiConsole. This means you point private key fingerprint in GoogleApiConsole. It's enough.
I would suggest having your own "interim server" which uses the API key (sender ID as you referred to it). Instead of embedding it in the app itself.
The Android C2DM push app that I have developed has the reference of my sender is (example: "sender#gmail.com") in the application side code.
Case 1:
When I install this app on a Android device, the device has a gmail id as "personalid#gmail.com" in Accounts and Sync settings.
App is registered successfully with C2DM but it does not receive any of the pushed messages.
Case2:
When I use the same sender id ("sender#gmail.com") in the Android device's Accounts and Sync. I receive all the messages that I push.
Why case 1 is failing and case 2 (sender id all through) is successful?
Please make sure that you have signed out from built in gtalk application of your phone, if you are not signed out from gtalk app, then it will create ambiguity in between gtalk and ur personal app for messaged pushed from google server so it can not send message to any app and give exception.
For detailed information of push notification , please check https://developers.google.com/android/c2dm/
best c2dm tutorialis ,http://www.vogella.com/articles/AndroidCloudToDeviceMessaging/article.html
This is the way that C2DM works. It makes sense that it works in this way since it requires the email address for both the registration id and authentication token.
When sending a push message, your third party server uses the registration id built on (probably) "sender#gmail.com", and authentication token built on the same email. Google's server looks on your device and tries to find that specific email address account. You can have multiple accounts on the device, but at least one of them has to be the account used to register the device.
Why would Google ask for the email anyway if it wouldn't have mattered? It would have been much easier to use directly the device's unique id.
I am new to C2DM. I have few question about C2DM registration ID.
I have installed same C2DM Mobile app in two devices. Whether I will need two rigistrations ID for two devices or we need one registration ID for mobile client.
My requirement is I have to install client app in two devices and I need to notify both the devices same time when I changed data in Server.
Suggest me the RegistrtionID implementation.
each device can register separately and will receive a separate registration id. When it's received, you'll send the registration id to your application server.
However the registration id is stored on your server, you'll want to send separate notifications for each device that you want to receive a notification (as identified by its registration id).