You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Hi, I am working on a project to listen for incoming Google push notifications in Go (hopefully an end-to-end push notification testing suite at some point)
So this is how far I currently understand the system/apis involved:
For apps to register for push notifications, these API calls occur in order:
firebaseinstallations.googleapis.com - register installation (returns an actual JWT used later)
android.clients.google.com - C2DM registration (uses the JWT from previous step app certificate and Checkin android ID, returns notification token)
App specific API call to notify the backend of our notification token from the previous step
For websites on chromium browsers (tested on Brave browser, because I can't turn off HSTS on Chrome....):
firebaseinstallations.googleapis.com - register installation (returns an actual JWT used later) - for the BROWSER
android.clients.google.com - C2DM registration (uses the app certificate and Checkin android ID, returns notification token) - for the website
Website specific API call to notify backend of our notification token, and also sends encryption data (similar to this except that is a registration directly to FCM instead)
For us to receive the notifications:
android.clients.google.com Checkin API call (returns AID login auth)
mtalk.google.com connection, login request
After which we now receive encrypted push notifications
Okay, so my question comes in in the comparison between apps and websites as far as push notifications go.
In both cases the notifications we receive via mtalk.google.com are encrypted, but only in the case of the websites do I see an actual key exchange.
How are the push notifications decrypted for regular apps? Did I miss a super secret key exchange or do the system and backend already know what the key is going to be beforehand?
Thanks for taking the time to read this.
The text was updated successfully, but these errors were encountered:
I don't think anything you see here is encrypted. Most Android apps don't encrypt their push notification traffic.
The data in the last screenshot is not encrypted, but just a base64-encoded protobuf. This is application specific, other apps put JSON- or XML-encoded payload.
Thanks for your reply, I just did a deeper dive into the data from the last screenshot and you are correct. I guess I just assumed there was encryption involved due to the browser notifications having encryption.
Hi, I am working on a project to listen for incoming Google push notifications in Go (hopefully an end-to-end push notification testing suite at some point)
So this is how far I currently understand the system/apis involved:
For apps to register for push notifications, these API calls occur in order:
firebaseinstallations.googleapis.com
- register installation (returns an actual JWT used later)android.clients.google.com
- C2DM registration (uses the JWT from previous step app certificate and Checkin android ID, returns notification token)For websites on chromium browsers (tested on Brave browser, because I can't turn off HSTS on Chrome....):
firebaseinstallations.googleapis.com
- register installation (returns an actual JWT used later) - for the BROWSERandroid.clients.google.com
- C2DM registration (uses the app certificate and Checkin android ID, returns notification token) - for the websiteencryption data
(similar to this except that is a registration directly to FCM instead)For us to receive the notifications:
android.clients.google.com
Checkin API call (returns AID login auth)mtalk.google.com
connection, login requestAfter which we now receive encrypted push notifications
Okay, so my question comes in in the comparison between apps and websites as far as push notifications go.
In both cases the notifications we receive via
mtalk.google.com
are encrypted, but only in the case of the websites do I see an actual key exchange.How are the push notifications decrypted for regular apps? Did I miss a super secret key exchange or do the system and backend already know what the key is going to be beforehand?
Thanks for taking the time to read this.
The text was updated successfully, but these errors were encountered: