Spoofing the GCM response is going to be pretty tough if the
permissions on the application are set correctly: specifically, the
receiver checks the message against the android permission
com.google.android.c2dm.permissions.SEND as long as it has the proper
android:permission attribute set in the Manifest:
<receiver android:name="com.google.android.gcm.GCMBroadcastReceiver"
android:permission="com.google.android.c2dm.permission.SEND" >
<intent-filter>
<action android:name="com.google.android.c2dm.intent.RECEIVE" />
<action
android:name="com.google.android.c2dm.intent.REGISTRATION" />
<action android:name="com.google.android.gcm.intent.RETRY" />
<category android:name="com.intrepidusgroup.GCMDemo" />
</intent-filter>
</receiver>
Also, if done correctly, there is a specific permission set such that
messages use signatures:
<permission android:name="com.intrepidusgroup.GCMDemo.permission.C2D_MESSAGE"
android:protectionLevel="signature" />
However... if the application happens to omit the android:permission
attribute on the reciever, you can then "spoof" messages from another
application on the device just fine, by simply creating an intent and
setting the filters to match those of the receiver. While this is
pretty unusual, thanks to Google including a fairly obvious warning
about this in the example code they provide, it does exist (I run
across it from time to time during application assessments).
An example of how this works is below (from C2DM, but it works pretty
similarly for GCM):
// declare the Intent
final Intent sendC2DM = new Intent("com.google.android.c2dm.intent.RECEIVE");
// set this as category com.intrepidusgroup.GCMDemo to match the intent-filter
sendC2DM.addCategory("com.intrepidusgroup.GCMDemo");
Where you go from there is going to be highly dependent on the target
application: you'll need to examine the message receiver code to find
out what data it expects to be sent, and then create that data in your
spoofing class code.
--
jason
On Mon, Feb 18, 2013 at 11:29 PM, dw4ll <[email protected]> wrote:
> Kristopher..actually i need to pentest a android application. Please suggest
> me any pointers to spoof the push data response..
>
>
> On Monday, February 18, 2013 9:22:10 PM UTC+5:30, Kristopher Micinski wrote:
>>
>> I believe the answer is simple as: GCM uses HTTPS.
>>
>> But if anything, there are other ways to spoof GCM, and you shouldn't
>> actually do anything sensitive with it.
>>
>> Think of GCM as forcing evaluation of a thunk that does some
>> asynchronous user operation :-)
>>
>> Kris
>>
>>
>> On Mon, Feb 18, 2013 at 6:21 AM, dw4ll <[email protected]> wrote:
>> > How does the device recognize that the pushed data is from GCM server
>> > only?
>> > Are there any auth tokens that GCM server sends along with data? Can an
>> > attacker spoof GCM push data and send it to android client??
>> >
>> > --
>> > You received this message because you are subscribed to the Google
>> > Groups
>> > "Android Security Discussions" group.
>> > To unsubscribe from this group and stop receiving emails from it, send
>> > an
>> > email to [email protected].
>> > To post to this group, send email to
>> > [email protected].
>> > Visit this group at
>> > http://groups.google.com/group/android-security-discuss?hl=en.
>> > For more options, visit https://groups.google.com/groups/opt_out.
>> >
>> >
>
> --
> You received this message because you are subscribed to the Google Groups
> "Android Security Discussions" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to [email protected].
> To post to this group, send email to
> [email protected].
> Visit this group at
> http://groups.google.com/group/android-security-discuss?hl=en.
> For more options, visit https://groups.google.com/groups/opt_out.
>
>
--
You received this message because you are subscribed to the Google Groups
"Android Security Discussions" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
Visit this group at
http://groups.google.com/group/android-security-discuss?hl=en.
For more options, visit https://groups.google.com/groups/opt_out.
