Hi,
I recently developed a simple application that uses the C2DM feature and found out that I can send push notifications from a different google account than the registered one. I only need to provide the authentication token of the authorized account and the registration id of the application. The C2DM server seems to ignore the passed gmail account, or at least not to verify that this is the legitimate account for which the appliction was registered. For instance, Suppose App is my application running on an Android device and having registered (to C2DM server) to receive and send messages from and to [email protected] The App server([email protected]) requests an authentication token (ClientLogin Auth token) from Google's Authorization service. The received ClientLogin Auth token is then saved and used by [email protected] in order to access to Google services (C2DM in our case). Now I can send messages to the application App from another server (say [email protected]) using the ClientLogin Auth token of [email protected] and the Registration ID of App, and messages arrive on App! ? Doesn't C2DM cross check that the provided authentication token really belongs to the google account given in parameter? Can any account use Auth token of any other account? >From a security point of view, the current behavior put my application at risk. I would be inteterested to know whether such behavior is normal and, if not, when it will be corrected and how? I also wonder why the public key associated with my publisher/ developer’s Google is not used here. It would definitely harden the trust relationship between the App Server and C2DM. Instead of the ClientLogin Auth token and gmail account , my private key is not passed with the message and is therefore better protected against spoofing attempts. -- You received this message because you are subscribed to the Google Groups "Android Security Discussions" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/android-security-discuss?hl=en.
