java - What are consequences of having GCM SENDER ID being exposed? -

-

scenario: suppose reverse engineering .apk file, attacker obtains sender id push registration service used in app. attacker develops similar fake application has same/different package name , has been uploaded on different app store google play.

my question: can he/she use same sender id app? implications of user installs fake application?

related questions: google cloud messaging security question seems bit similar. answer of android gcm: same sender id more application question provides valuable information. reading both accepted answers conclusion seems absolutely possible , that's why recommended not have sensitive data in push messages.

but doesn't seem solution problem. unable understand effect of above security lapse.

a sender id (aka google api project id) not tied unique application package name. in fact, multiple apps can register gcm using same sender id, allow same api key used sending gcm messages of these apps. of course each app have different registration id (even when on same device).

if knows sender id, can register gcm sender id, without knowing api key won't able send gcm messages either fake app or real app. when register gcm, gcm receives package id of fake app. therefore if send message registration id of real app, won't reach fake app. in order fake app messages server, need send own registration id server , fool server believing it's real app. in our server application have mention our api key. if want send notifications needed.


Comments

Post a Comment

Popular posts from this blog

ios - UICollectionView Self Sizing Cells with Auto Layout -

-
Image
i'm trying self sizing uicollectionviewcells working auto layout, can't seem cells size content. i'm having trouble understanding how cell's size updated contents of what's inside cell's contentview. here's setup i've tried: custom uicollectionviewcell uitextview in contentview. scrolling uitextview disabled. the contentview's horizontal constraint is: "h:|[_textview(320)]", i.e. uitextview pinned left of cell explicit width of 320. the contentview's vertical constraint is: "v:|-0-[_textview]", i.e. uitextview pinned top of cell. the uitextview has height constraint set constant uitextview reports fit text. here's looks cell background set red, , uitextview background set blue: i put project i've been playing on github here . updated ios 9 after seeing github solution break under ios 9 got time investigate issue fully. have updated repo include several examples of different configurations s
Read more

node.js - ldapjs - write after end error -

-
i have created authentication service using following code in node.js , ldapjs. var when = require ('when'); var authenticationerror = require('../errors/authenticationerror'); var sessionmanagerservice = require('./sessionmanagerservice'); var ldap = require('ldapjs'); var client = ldap.createclient({ url: 'ldaps://ad.mycompany.com:636', tlsoptions: {'rejectunauthorized': false} }); module.exports = { signin: function (email, password) { return this.ldapbind(email, password).then( function () { return sessionmanagerservice.createsessionhash({email: email}); } ); }, ldapbind: function (email, password) { var deferred = when.defer(); client.bind(email, password, function(err) { if (err) { deferred.reject (new authenticationerror('invalid username and/or password!', 'authentication.signin.error')
Read more

DOM Manipulation in Wordpress (and elsewhere) using php -

-
DOM Manipulation in Wordpress (and elsewhere) using php - i'm quite new dom manipulation world , head start in order avoid mutual errors. i looking efficient way manipulate content generated wordpress using php. @ moment using simple html dom seems work fine. found domdocument , few others , helpfull if cleared out 1 faster, improve or @ to the lowest degree generate less errors in case of bad markup. also on side can explain syntax (instead of $html @$html) thank much php wordpress domdocument simple-html-dom
Read more