Check registration id validity
1,040 views
Skip to first unread message
Juan Pablo Carlino
Sep 14, 2015, 11:00:33 AM9/14/15
to android-gcm
Hello,
in the official Google Cloud Messaging docs there is a section that explains how to validate an API Key issuing a simple HTTP request. Then it adds:
however we see this validation procedure is not transparent for the target device, because it receives a push without payload although the GCM client library confuses it with a real message because it comes with the senderId in the 'from'.
Our goal is just to make sure the registration id was generated with the right senderId, as we see this is a common mistake when you develop both a debug and a production application. Is there any way to validate the token without triggering a 'false' push?
Regards
in the official Google Cloud Messaging docs there is a section that explains how to validate an API Key issuing a simple HTTP request. Then it adds:
If you want to confirm the validity of a registration token, you can do so by replacing "ABC" with the registration token.
however we see this validation procedure is not transparent for the target device, because it receives a push without payload although the GCM client library confuses it with a real message because it comes with the senderId in the 'from'.
Our goal is just to make sure the registration id was generated with the right senderId, as we see this is a common mistake when you develop both a debug and a production application. Is there any way to validate the token without triggering a 'false' push?
Regards
Luca Morettoni
Sep 14, 2015, 11:09:13 AM9/14/15
to andro...@googlegroups.com
On Mon, Sep 14, 2015 at 5:00 PM, Juan Pablo Carlino <jpca...@gmail.com> wrote:
> Our goal is just to make sure the registration id was generated with the
> right senderId, as we see this is a common mistake when you develop both a
> debug and a production application. Is there any way to validate the token
> without triggering a 'false' push?
I'm looking for a smarter solution, because I don't want to wake our
> Our goal is just to make sure the registration id was generated with the
> right senderId, as we see this is a common mistake when you develop both a
> debug and a production application. Is there any way to validate the token
> without triggering a 'false' push?
costumer device with an empty push message.
Also I notice that I have more GCM (valid) device compared to the
numbers I get in the play store, anyone can explain me that?
--
Luca Morettoni <luca(AT)morettoni.net> | http://www.morettoni.net
http://it.linkedin.com/in/morettoni/ | http://twitter.com/morettoni
Google+ profile: https://www.google.com/+LucaMorettoni
Member of GDG Perugia: http://perugia.gtugs.org
Diego Giorgini
Sep 14, 2015, 11:29:09 AM9/14/15
to andro...@googlegroups.com
Hi Juan and Luca,
On Mon, Sep 14, 2015 at 4:09 PM Luca Morettoni <lu...@morettoni.net> wrote:
On Mon, Sep 14, 2015 at 5:00 PM, Juan Pablo Carlino <jpca...@gmail.com> wrote:
> Is there any way to validate the token without triggering a 'false' push?
You can use the InstanceID API:
Also I notice that I have more GCM (valid) device compared to the
numbers I get in the play store, anyone can explain me that?
I imagine Play Store tracks the number of downloads, while the app could be installed in other ways like sending the APK or restoring the device etc.
Other than this I don't know why those numbers don't match, sorry.
Best regards,
- Diego
Juan Pablo Carlino
Sep 14, 2015, 2:14:58 PM9/14/15
to android-gcm
Diego,
thanks for your answer. I thought on using the InstanceID service, however initially i have discarded this option because the docs read:
However the most common case is that your debug app is not published on Google Play, so the validation mechanism would fail. Another drawback i see is that i can't verify old GCM tokens (those that aren't instance ids). I've tried out both types of tokens with InstanceID service:
1. when token comes from a debug application (not published on Google Play) i get
{"error":"No information found about this instance id."}
2. when token has the old registrationId format i get an HTTP 400 error
Is there any workaround to validate GCM tokens?
Regards
thanks for your answer. I thought on using the InstanceID service, however initially i have discarded this option because the docs read:
Note: verifying app authenticity is available only for apps distributed by Google Play.
However the most common case is that your debug app is not published on Google Play, so the validation mechanism would fail. Another drawback i see is that i can't verify old GCM tokens (those that aren't instance ids). I've tried out both types of tokens with InstanceID service:
1. when token comes from a debug application (not published on Google Play) i get
{"error":"No information found about this instance id."}
2. when token has the old registrationId format i get an HTTP 400 error
Is there any workaround to validate GCM tokens?
Regards
Juan Pablo Carlino
Sep 14, 2015, 5:18:56 PM9/14/15
to android-gcm
Hello,
i've found exactly what i was looking: 'dry_run' is the flag to use
https://developers.google.com/cloud-messaging/http-server-ref
Regards
i've found exactly what i was looking: 'dry_run' is the flag to use
https://developers.google.com/cloud-messaging/http-server-ref
Regards
Diego Giorgini
Sep 15, 2015, 8:26:43 AM9/15/15
to andro...@googlegroups.com
Answers inline:
El lunes, 14 de septiembre de 2015, 15:14:58 (UTC-3), Juan Pablo Carlino escribió:
Diego,
thanks for your answer. I thought on using the InstanceID service, however initially i have discarded this option because the docs read:Note: verifying app authenticity is available only for apps distributed by Google Play.
This means that you cannot fully trust apps that are not being distributed by Google Play, since they could impersonate other app package name or certificates.
However the most common case is that your debug app is not published on Google Play, so the validation mechanism would fail. Another drawback i see is that i can't verify old GCM tokens (those that aren't instance ids). I've tried out both types of tokens with InstanceID service:
1. when token comes from a debug application (not published on Google Play) i get
{"error":"No information found about this instance id."}
InstanceID should work for all the apps, even if not distributed through Google Play.
I suggest to check your http request for any errors.
I suggest to check your http request for any errors.
2. when token has the old registrationId format i get an HTTP 400 error
Is there any workaround to validate GCM tokens?
Old GCM tokens (not InstanceID) are not supported by InstanceID API.
On Mon, Sep 14, 2015 at 10:19 PM Juan Pablo Carlino <jpca...@gmail.com> wrote:
Hello,
i've found exactly what i was looking: 'dry_run' is the flag to use
https://developers.google.com/cloud-messaging/http-server-ref
Yes, this is another way to test it.
I am glad you found a solution for your use-case
- Diego
Reply all
Reply to author
Forward
0 new messages