I am new to C2DM and would like to test. I have a question about mobile registration phrase. since we need to use Google mail account in order to get the registration ID from C2DM server, is it possible to use device UUID instead of gmail account?
please advise or correct me if I have any miss understanding.
Thanks
Alex
no you must use the google mail account you used to register. So it kinda becomes your api key for C2DM. That email address is also used in contacting the google server when sending the actual notifications as a trust indicator between you and google.
You better use a separate Gmail address, not your personal Gmail and also not your mobile UUID (Universally Unique IDentifier). You have to use this email address in two different locations. One is in your Android application and the other one in your third party server. This email ID is important in the registration process. Which means the mobile phone which runs our C2DM enable Android app with the C2DM server. The Google documentation explains very well about the mobile implementation side but less with the server implementation side :-(
Related
We are developing an app that requires the users to be connected to the internet either via WiFi or via 4G or 3G.
Can we use GCM, Google Cloud Messaging, to register and verify a user instead of SMS ?
That is, we are trying to find an alternative to text message or SMS, for sending a verification code to the user, similar to the way that apps like WhatsApp do.
If you want to provide 2 step authentication for users of your website, certainly GCM is a very good option. Create table that links GCM ids to user ids. YOu will of course need to write a bit of code to handle GCM registration id changes.
If you want to provide 2 step authentication for users of your android app. GCM certainly isn't a good option. Why because the 2 step authentication should involve a different device.
You can also try Google Authenticator app. No need for SMS when you use it.
Company creates a project and receives a sender ID. Company creates an app, bakes in its sender ID and places the app in the store.
Attacker reverse engineers the app and extracts both the sender ID and the server interface used to receive GCM registration IDs.
Attacker creates his own app, bakes in Company's sender ID and server registration interface, puts app in the store. The attack app basically impersonates Company's real app as far as GCM goes: it registers to receive messages from Company's sender ID and then sends its GCM registration ID to Company's servers just like the "real" app does.
Now Company wants to broadcast some information to all instances of its app. Maybe it's a reminder than an update is available. Is there any way to differentiate the "attack app" (which registered just like the real one) from "real" versions of the Company's app?
I think from your scenario it's not possible for the attacker to send a message to the user even if he has the registration id. The company server which sends the messages they need to authenticate (OAuth2) there account first through Google. So only if the attacker knows the password of the sending party and the registration id than it can send the user. But the password of the sending party of course is never send to the client side.
well, this might even work in a debug version of the attackers app, but he can not put his app in the store. part of the GCM identification is the app id which needs to be unique in the store.
The same problem could also have existed with C2DM, which you can sniff the sender email address, instead of project ID for GCM.
C2DM or GCM, should never be used to send sensitive user information (i.e. account name, private information, etc), it's mainly useful for notification, which the real app can use it to perform further actions.
I can't see how useful a notification can be to a 'fake/hack' app, what are they going to do with 'You have new message' notification?
The GCM Registration ID is requested by Google, requested from the app and submitted to your server. When someone with a different app (but the same sender ID) creates a Regid, it still has to be committed to the server, and you first have to explicitly send a message to that specific regid.
An app installation, whether legitimate or not, can never receive messages it is not authorised for. (Provided you declare and use the C2D_MESSAGE permission)
Actually, google let's you register a Server Key for GCM, which lets you White-List Server IP's...
So you should add your server IP and you would be safe, since only your server is allowed to send messages with that key.
GCM is safe in this case.
You even can't use your Sender ID in your original app before you register the app in GoogleApiConsole. This means you point private key fingerprint in GoogleApiConsole. It's enough.
I would suggest having your own "interim server" which uses the API key (sender ID as you referred to it). Instead of embedding it in the app itself.
Looking entirely from the user account perspective, are the following pointers to be followed for the C2DM push system to work?
Manually sign up on https://developers.google.com/android/c2dm/signup and provide package name of my android app. consider emailId given is: foo#gmail.com
Programmatically Register from my android app using a email id, foo#gmail.com
From the third party application server send push notifications. Generate the authentication token using foo#gmail.com and pass****word.
My question is, is it mandatory to provide the same emailId in all the above places?
yes Please go though the links
https://developers.google.com/android/c2dm/
Sender ID An email account associated with the application's developer. The sender ID is used in the registration process to identify a Android application that is permitted to send messages to the device. This ID is typically role-based rather than being a personal account—- for example, my-app#gmail.com.
http://www.vogella.com/articles/AndroidCloudToDeviceMessaging/article.html
http://android-developers.blogspot.in/2010/05/android-cloud-to-device-messaging.html
http://www.abolkog.com/portal/java-programming/117-android-push-notifications
I am developing Android app for a company which has thousands of Employees and all of them will use this app and company will be able to track all employees through the app.
One feature of my app is to send data from Server to Android. For this i am using C2DM. Since C2DM require active Gmail account on each device so all of the employees need to create Gmail account for them and sign in to that account to use my app(this is my understanding of problem) but my Client (Company Manager) dont want to let this to employees to create Gmail account for them.
In your opinion what should be best for me. do i continue to develop in C2DM or should i use some other mechanism ?
I am stuck in this problem
any help is appreciated.Thanks
Before you go too far, please note that C2DM service is not for sending "data" to client/phone. Its meant for notifications. They payload is limited 1024 bytes. When you receive a notification, you should then establish a connection with your server and pull the data.
If your organization is using Google Apps, the domain administrator can programmatically provision accounts for all the users.
I have one single Gmail account signed up for C2DM.
What I would like is that my app, thanks to this account (after having requested registration IDs and auth tokens for each device), could be able to provide messages to all the devices in which the app is installed.
I want to know if is it possible to use the C2DM in this way..
Thanks a lot
(for any details, just ask me.. )
ps I made the c2dm work on the emulator, but of course I cannot try what written before because I would need several phones..
Going off your question and comments, it sounds like you're just wondering if you can send c2dm notifications to an indeterminate number of devices using only one sender id.
That is exactly the way c2dm is supposed to work. You create one sender id to use on your backend servers, and that sender id is used in your app to register for c2dm notifications. Your backend then gathers all registrations ids and uses your one sender id to push notifications interested parties.
If I understood your issue correctly, the answer is: you can't.
You will have to send one http request, to google servers, for each device you want to reach.
There's no way to broadcast a message to all the users who have registered to your service.
It' frustrating because in my case I send a newsletter for all my users, so opening a connection to millions of users is expensive.
To solve the scalability issue I have created a simple appengine map-reduce task that loops through all the user registrations and create the http connection to the google services, it's the fastest you can go because it dynamically instantiate new servers for your delivery needs.
C2DM has been deprecated. GCM has replaced it, and it allows you to send messages to 1000 devices with one HTTP POST.
C2DM->GCM Migration Guide:
http://developer.android.com/guide/google/gcm/c2dm.html