暴露 GCM SENDER ID 有什么后果? [英] What are consequences of having GCM SENDER ID being exposed?
问题描述
场景:假设攻击者通过对.apk文件进行逆向工程,获得了应用中使用的推送注册服务的SENDER ID.攻击者开发了一个类似的虚假应用程序,该应用程序具有相同/不同的包名,并且已上传到与 Google Play 不同的应用程序商店.
Scenario: Suppose by reverse engineering a .apk file, an attacker obtains the SENDER ID for Push Registration Service used in an App. The attacker develops a similar fake application which has same/different package name and has been uploaded on a different app store than Google Play.
我的问题:他/她可以在应用中使用相同的 SENDER ID 吗?这对安装该虚假应用程序的用户有何影响?
My question: Can he/she use the same SENDER ID with the app? What are the implications of that for the user who installs that fake application?
相关问题:谷歌云消息安全问题似乎有点相似.Android GCM:相同的发件人 ID 用于更多应用问题提供了有价值的信息.阅读两个接受的答案,结论似乎是绝对有可能,这就是为什么建议不要在推送消息中包含敏感数据的原因.
Related Questions: google cloud messaging security question seems to be a bit similar. Also answer of Android GCM: same sender id for more application question provides valuable information. Reading both the accepted answers the conclusion seems to be that it is absolutely possible and that's why it is recommended not to have sensitive data in Push Messages.
但这似乎不是问题的解决方案.我无法理解上述安全失效的影响.
But that doesn't seem to be the solution to the problem. I am unable to understand the effect of the above security lapse.
推荐答案
发件人 ID(又名 Google API 项目 ID)与唯一的应用程序包名称无关.事实上,多个应用程序可以使用相同的发件人 ID 注册到 GCM,这将允许使用相同的 API 密钥向所有这些应用程序发送 GCM 消息.当然,每个应用都有不同的注册 ID(即使在同一台设备上).
A sender ID (aka Google API project ID) is not tied to a unique application package name. In fact, multiple apps can register to GCM using the same sender ID, which will allow the same API key to be used for sending GCM messages to all of these apps. Of course each app will have a different registration ID (even when on the same device).
如果有人知道您的发件人 ID,他们可以使用该发件人 ID 注册到 GCM,但如果不知道 API 密钥,他们将无法将 GCM 消息发送到假应用或真实应用.当他们注册到 GCM 时,GCM 会收到他们的假应用的包 ID.因此,如果您向真实应用的注册 ID 发送消息,则它不会到达假应用.为了让虚假应用程序从您的服务器获取消息,它需要将自己的注册 ID 发送到您的服务器并欺骗您的服务器相信它是真正的应用程序.在我们的服务器应用程序中,您必须提及我们的 API 密钥.如果您想发送任何需要的通知.
If someone knows your sender ID, they can register to GCM with that sender ID, but without knowing the API key they won't be able to send GCM messages to either the fake app or the real app. When they register to GCM, GCM receives the package ID of their fake app. Therefore if you send a message to a registration ID of your real app, it won't reach the fake app. In order for the fake app to get messages from your server, it will need to send its own registration ID to your server and fool your server into believing it's the real app. In our server application you have to mention our API key. If you want to send any notifications its needed.
这篇关于暴露 GCM SENDER ID 有什么后果?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
