GCM Security

[D Miller]

My GCM payload will contain PII (a name). 

I plan on encrypting this data, but others at our organization are still wary of approving the use of GCM for the following reasons: 

1. the type of connection from GCM connection servers to the device is unknown.

2. when target devices are offline, messages will sit in a queue on a Google machine until the device comes back online.

What protocol is used when sending messages from a GCM connection server to a device?

Where can I read more about the security of GCM connection servers? I need to know if they are FIPS certified (I think). 

[Francesco]

Hi,

thanks for your questions. The connection between devices and GCM is encrypted via SSL.

The connection between your server and GCM is encrypted via HTTPs.

 Please DO encrypt your payload before sending the message to GCM and decrypt it on the device.

It is true that if the device is offline your message will sit for a specified (by you) amount of time up to 4 weeks maximum in Google servers.

That message should be encrypted by your software, therefore unintelligible for Google, which in turns does apply its own encryption before storing it.

Hth,

  f

--
You received this message because you are subscribed to the Google Groups "android-gcm" group.
To unsubscribe from this group and stop receiving emails from it, send an email to android-gcm...@googlegroups.com.
To post to this group, send email to andro...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/android-gcm/67e94b0b-f3ad-4a6f-9aa2-5c73911aec79%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.