什么是有GCM发件人ID被曝光的后果是什么？ [英] What are consequences of having GCM SENDER ID being exposed?

问题描述

方案：假设通过逆向工程 .apk文件文件，攻击者获得发件人ID 在一个应用程序中使用推送注册服务。攻击者开发了一个类似的假的应用程序，它具有相同/不同的包名和已上载于不同的应用程序商店比谷歌播放。

Scenario: Suppose by reverse engineering a .apk file, an attacker obtains the SENDER ID for Push Registration Service used in an App. The attacker develops a similar fake application which has same/different package name and has been uploaded on a different app store than Google Play.

我的问题：他/她使用与应用程序相同的发件人ID？什么是该影响对谁安装，假冒应用程序的用户？

My question: Can he/she use the same SENDER ID with the app? What are the implications of that for the user who installs that fake application?

相关问题： 谷歌的云邮件安全问题似乎有点类似。也回答<一href="http://stackoverflow.com/questions/11555180/android-gcm-same-sender-id-for-more-application">Android GCM：同一发件人ID为更多的应用问题提供了有价值的信息。既读取接受答案的结论似乎是，它是完全可能的，这就是为什么我们建议不要在推送消息的敏感数据。

Related Questions: google cloud messaging security question seems to be a bit similar. Also answer of Android GCM: same sender id for more application question provides valuable information. Reading both the accepted answers the conclusion seems to be that it is absolutely possible and that's why it is recommended not to have sensitive data in Push Messages.

但是，这似乎并没有成为解决问题的办法。我无法理解上面的安全失误的影响。

But that doesn't seem to be the solution to the problem. I am unable to understand the effect of the above security lapse.

推荐答案

发件人ID（又名谷歌API项目ID）是不依赖于一个独特的应用程序包的名称。事实上，多个应用程序可以使用同一个发件人ID，这将允许用于发送GCM消息发送给所有这些应用程序相同的API密钥注册到GCM。当然每个应用程序将具有不同的注册ID（即使在相同的设备上）。

A sender ID (aka Google API project ID) is not tied to a unique application package name. In fact, multiple apps can register to GCM using the same sender ID, which will allow the same API key to be used for sending GCM messages to all of these apps. Of course each app will have a different registration ID (even when on the same device).

如果有人知道你的发件人ID，就可以注册GCM与发送者ID，但不知道该API密钥他们将不能够发送GCM消息，无论是假的应用程序或真正的应用程序。当他们注册到GCM，GCM接收他们的假的应用程序包ID。因此，如果你发送邮件到你的真正的应用程序的注册ID，也不会达到假的应用程序。为了使假冒的应用程序从服务器上获得的消息，这将需要发送它自己的注册ID为您的服务器和愚弄，以为它是真正的应用程序服务器。

If someone knows your sender ID, they can register to GCM with that sender ID, but without knowing the API key they won't be able to send GCM messages to either the fake app or the real app. When they register to GCM, GCM receives the package ID of their fake app. Therefore if you send a message to a registration ID of your real app, it won't reach the fake app. In order for the fake app to get messages from your server, it will need to send its own registration ID to your server and fool your server into believing it's the real app.

这篇关于什么是有GCM发件人ID被曝光的后果是什么？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！