Looking entirely from the user account perspective, are the following pointers to be followed for the C2DM push system to work?
Manually sign up on https://developers.google.com/android/c2dm/signup and provide package name of my android app. consider emailId given is: foo#gmail.com
Programmatically Register from my android app using a email id, foo#gmail.com
From the third party application server send push notifications. Generate the authentication token using foo#gmail.com and pass****word.
My question is, is it mandatory to provide the same emailId in all the above places?
yes Please go though the links
https://developers.google.com/android/c2dm/
Sender ID An email account associated with the application's developer. The sender ID is used in the registration process to identify a Android application that is permitted to send messages to the device. This ID is typically role-based rather than being a personal account—- for example, my-app#gmail.com.
http://www.vogella.com/articles/AndroidCloudToDeviceMessaging/article.html
http://android-developers.blogspot.in/2010/05/android-cloud-to-device-messaging.html
http://www.abolkog.com/portal/java-programming/117-android-push-notifications
Related
Company creates a project and receives a sender ID. Company creates an app, bakes in its sender ID and places the app in the store.
Attacker reverse engineers the app and extracts both the sender ID and the server interface used to receive GCM registration IDs.
Attacker creates his own app, bakes in Company's sender ID and server registration interface, puts app in the store. The attack app basically impersonates Company's real app as far as GCM goes: it registers to receive messages from Company's sender ID and then sends its GCM registration ID to Company's servers just like the "real" app does.
Now Company wants to broadcast some information to all instances of its app. Maybe it's a reminder than an update is available. Is there any way to differentiate the "attack app" (which registered just like the real one) from "real" versions of the Company's app?
I think from your scenario it's not possible for the attacker to send a message to the user even if he has the registration id. The company server which sends the messages they need to authenticate (OAuth2) there account first through Google. So only if the attacker knows the password of the sending party and the registration id than it can send the user. But the password of the sending party of course is never send to the client side.
well, this might even work in a debug version of the attackers app, but he can not put his app in the store. part of the GCM identification is the app id which needs to be unique in the store.
The same problem could also have existed with C2DM, which you can sniff the sender email address, instead of project ID for GCM.
C2DM or GCM, should never be used to send sensitive user information (i.e. account name, private information, etc), it's mainly useful for notification, which the real app can use it to perform further actions.
I can't see how useful a notification can be to a 'fake/hack' app, what are they going to do with 'You have new message' notification?
The GCM Registration ID is requested by Google, requested from the app and submitted to your server. When someone with a different app (but the same sender ID) creates a Regid, it still has to be committed to the server, and you first have to explicitly send a message to that specific regid.
An app installation, whether legitimate or not, can never receive messages it is not authorised for. (Provided you declare and use the C2D_MESSAGE permission)
Actually, google let's you register a Server Key for GCM, which lets you White-List Server IP's...
So you should add your server IP and you would be safe, since only your server is allowed to send messages with that key.
GCM is safe in this case.
You even can't use your Sender ID in your original app before you register the app in GoogleApiConsole. This means you point private key fingerprint in GoogleApiConsole. It's enough.
I would suggest having your own "interim server" which uses the API key (sender ID as you referred to it). Instead of embedding it in the app itself.
As far as I know, C2DM is per app per device thing..but my question is ,what is the use of device id and where do we use device id in C2DM?
Device Id term is used in iPhone and Registration ID is the term which we use in Android.
Registration ID
An ID issued by the C2DM servers to the Android application that allows it to receive messages. Once the application has the registration ID, it sends it to the third-party application server, which uses it to identify each device that has registered to receive messages for a given application. In other words, a registration ID is tied to a particular application running on a particular device.
Note: For detail description follow the link.
The device ID is afaik your Google Account
See "Sender ID"
An email account associated with the application's developer. The
sender ID is used in the registration process to identify a Android
application that is permitted to send messages to the device. This ID
is typically role-based rather than being a personal account—- for
example, my-app#gmail.com.
The Android C2DM push app that I have developed has the reference of my sender is (example: "sender#gmail.com") in the application side code.
Case 1:
When I install this app on a Android device, the device has a gmail id as "personalid#gmail.com" in Accounts and Sync settings.
App is registered successfully with C2DM but it does not receive any of the pushed messages.
Case2:
When I use the same sender id ("sender#gmail.com") in the Android device's Accounts and Sync. I receive all the messages that I push.
Why case 1 is failing and case 2 (sender id all through) is successful?
Please make sure that you have signed out from built in gtalk application of your phone, if you are not signed out from gtalk app, then it will create ambiguity in between gtalk and ur personal app for messaged pushed from google server so it can not send message to any app and give exception.
For detailed information of push notification , please check https://developers.google.com/android/c2dm/
best c2dm tutorialis ,http://www.vogella.com/articles/AndroidCloudToDeviceMessaging/article.html
This is the way that C2DM works. It makes sense that it works in this way since it requires the email address for both the registration id and authentication token.
When sending a push message, your third party server uses the registration id built on (probably) "sender#gmail.com", and authentication token built on the same email. Google's server looks on your device and tries to find that specific email address account. You can have multiple accounts on the device, but at least one of them has to be the account used to register the device.
Why would Google ask for the email anyway if it wouldn't have mattered? It would have been much easier to use directly the device's unique id.
I want to use a C2DM which will allow my Java Server to send Data to Android phone. Since for
using C2DM each device need its gmail ID, my Question is that how can i get the default email
associated with the android phone and use this email in C2DM.
is it possible to use this email for using C2DM.. if yes then how should i get default email of android phone.
First of all you cannot get which email is associated with the device and secondly you dont need client email you only need a registered email for sending C2DM notification but the condition is that you must have gmail account logged in on android
I think you misunderstand. You do not send C2DM messages to an email address, you send to a RegistrationID that the C2DM library issued to a copy of your application registered on a device. The only email address you need is your sender.
For reference: C2DM documentation
You do not need the users email for C2DM. This email address you have to specify is an address of yours. Have a look at the chrome2phone source - it is a good example for C2DM http://code.google.com/p/chrometophone/source/browse/
I am new to C2DM and would like to test. I have a question about mobile registration phrase. since we need to use Google mail account in order to get the registration ID from C2DM server, is it possible to use device UUID instead of gmail account?
please advise or correct me if I have any miss understanding.
Thanks
Alex
no you must use the google mail account you used to register. So it kinda becomes your api key for C2DM. That email address is also used in contacting the google server when sending the actual notifications as a trust indicator between you and google.
You better use a separate Gmail address, not your personal Gmail and also not your mobile UUID (Universally Unique IDentifier). You have to use this email address in two different locations. One is in your Android application and the other one in your third party server. This email ID is important in the registration process. Which means the mobile phone which runs our C2DM enable Android app with the C2DM server. The Google documentation explains very well about the mobile implementation side but less with the server implementation side :-(