Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Technical] How does the Google Push implementation work? #1859

Closed
BRUHItsABunny opened this issue Dec 29, 2022 · 2 comments
Closed

[Technical] How does the Google Push implementation work? #1859

BRUHItsABunny opened this issue Dec 29, 2022 · 2 comments
Labels
question

Comments

@BRUHItsABunny
Copy link

Hi, I am working on a project to listen for incoming Google push notifications in Go (hopefully an end-to-end push notification testing suite at some point)

So this is how far I currently understand the system/apis involved:

For apps to register for push notifications, these API calls occur in order:

  • firebaseinstallations.googleapis.com - register installation (returns an actual JWT used later)
    image
  • android.clients.google.com - C2DM registration (uses the JWT from previous step app certificate and Checkin android ID, returns notification token)
    image
  • App specific API call to notify the backend of our notification token from the previous step
    image

For websites on chromium browsers (tested on Brave browser, because I can't turn off HSTS on Chrome....):

  • firebaseinstallations.googleapis.com - register installation (returns an actual JWT used later) - for the BROWSER
  • android.clients.google.com - C2DM registration (uses the app certificate and Checkin android ID, returns notification token) - for the website
    image
    image
  • Website specific API call to notify backend of our notification token, and also sends encryption data (similar to this except that is a registration directly to FCM instead)
    image

For us to receive the notifications:

  • android.clients.google.com Checkin API call (returns AID login auth)
  • mtalk.google.com connection, login request
    image
    After which we now receive encrypted push notifications
    image

Okay, so my question comes in in the comparison between apps and websites as far as push notifications go.
In both cases the notifications we receive via mtalk.google.com are encrypted, but only in the case of the websites do I see an actual key exchange.
How are the push notifications decrypted for regular apps? Did I miss a super secret key exchange or do the system and backend already know what the key is going to be beforehand?
Thanks for taking the time to read this.
@BRUHItsABunny BRUHItsABunny mentioned this issue Dec 29, 2022
Closed
@mar-v-in
Copy link
Member

mar-v-in commented Dec 30, 2022
edited

I don't think anything you see here is encrypted. Most Android apps don't encrypt their push notification traffic.

The data in the last screenshot is not encrypted, but just a base64-encoded protobuf. This is application specific, other apps put JSON- or XML-encoded payload.

@BRUHItsABunny
Copy link
Author

Thanks for your reply, I just did a deeper dive into the data from the last screenshot and you are correct. I guess I just assumed there was encryption involved due to the browser notifications having encryption.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
question
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@mar-v-in @BRUHItsABunny