16

Scenario: Suppose by reverse engineering a .apk file, an attacker obtains the SENDER ID for Push Registration Service used in an App. The attacker develops a similar fake application which has same/different package name and has been uploaded on a different app store than Google Play.

My question: Can he/she use the same SENDER ID with the app? What are the implications of that for the user who installs that fake application?

Related Questions: google cloud messaging security question seems to be a bit similar. Also answer of Android GCM: same sender id for more application question provides valuable information. Reading both the accepted answers the conclusion seems to be that it is absolutely possible and that's why it is recommended not to have sensitive data in Push Messages.

But that doesn't seem to be the solution to the problem. I am unable to understand the effect of the above security lapse.

Community
  • 1
  • 1
Shobhit Puri
  • 25,769
  • 11
  • 95
  • 124

2 Answers2

18

A sender ID (aka Google API project ID) is not tied to a unique application package name. In fact, multiple apps can register to GCM using the same sender ID, which will allow the same API key to be used for sending GCM messages to all of these apps. Of course each app will have a different registration ID (even when on the same device).

If someone knows your sender ID, they can register to GCM with that sender ID, but without knowing the API key they won't be able to send GCM messages to either the fake app or the real app. When they register to GCM, GCM receives the package ID of their fake app. Therefore if you send a message to a registration ID of your real app, it won't reach the fake app. In order for the fake app to get messages from your server, it will need to send its own registration ID to your server and fool your server into believing it's the real app. In our server application you have to mention our API key. If you want to send any notifications its needed.

IamDMahesh
  • 99
  • 1
  • 10
Eran
  • 387,369
  • 54
  • 702
  • 768
  • So, that means if the hacker somehow comes to know my server URL(which should be hidden), he can register the registration ID's with my server and whenever my server decides to send the push message to all the apps, the fake apps will also receive the push message. – Shobhit Puri Aug 13 '13 at 18:14
  • Thanks for you answer. It did help me understand but now I have an addition concern based on your answer. It is likely that somewhere in my app I would mention the server URL, so that my app can send me registration ID's. Can there be some check on the server side which makes sure that the POST request is coming from my original app only and not from fake app? I apologize if my questions sound too straight forward but I am unable to visualize this some how. – Shobhit Puri Aug 13 '13 at 18:42
  • @ShobhitPuri That is correct, unless your app has some way to prove its identity when contacting your server. – Eran Aug 13 '13 at 18:55
  • I am still a bit confused myself, though. Is there a situation where eavesdropping on a push notification could lead to a security risk? Is that only if there is sensitive information in the notification and, if so, doesn't that mean that the *real* catch-all solution is to never send sensitive info in pushes (and therefore it doesn't matter if a fake app spoofs your ID)? – Jason C Aug 13 '13 at 19:13
  • 1
    @JasonC That sounds right. Since the other app can receive the message so can see also the content of your push message. So one should not put sensitive information there. – Shobhit Puri Aug 13 '13 at 19:32
1

They will not be able to use your GCM Sender ID to publish notifications.

Remember that when you obtained the Sender ID, you have to also submit your application's package name and your release signing key's SHA-1 signature. That signature is bound to the GCM Sender ID so that only applications signed by your release key are able to register and receive GCM notifications.

Google Play will also not allow apps with duplicate package name to be published, so nobody can create a fake app with your package name that is already in the Play store.

However, nothing is 100% secured. I presume a hacker could also figure out your SHA-1 signing key and hack the APK in such a way to fool the system to think the app is signed by your release key. I have seen apps are 'cracked' this way to circumvent Android licensing library. This could potentially fool GCM server to think the fake app is authorized to receive GCM messages. However, the 'cracked' apps are still not allowed to be published to Google Play, so the risk of legitimate users getting it is quite small.

azgolfer
  • 15,087
  • 4
  • 49
  • 46
  • Combining your answer with @Eran, what I understand is that although multiple apps can use the same SENDER ID but only those apps which are signed by my release key. But as soon as I created a new project on console, Google gave me a sender ID. Then I just turned the Google Cloud Messaging ON as stated [here](http://developer.android.com/google/gcm/gs.html) and used that ID in my app. I don't quite get its involvement with the release key. – Shobhit Puri Aug 13 '13 at 18:33
  • Also, what if the hacker's app is on different app store than Google play? I read an article which claimed that few of the cracked/fake apps have been downloaded from app stores other than Google play more than half a million times. – Shobhit Puri Aug 13 '13 at 18:33