公司创建了一个项目，并接收发送者ID。公司创建了一个应用程序，在烘烤的发件人ID，并将在商店中的应用程序。

Company creates a project and receives a sender ID. Company creates an app, bakes in its sender ID and places the app in the store.

攻击者逆向工程的应用程序，并提取发送者ID和用于接收GCM注册ID的服务器接口。

Attacker reverse engineers the app and extracts both the sender ID and the server interface used to receive GCM registration IDs.

攻击者创建自己的应用程序，在烘焙公司的发件人ID和服务器的注册界面，把在商店的应用程序。攻击的应用程序基本上假冒公司的真正的应用程序尽可能GCM云：它注册到从公司的发件人ID接收邮件，然后将其GCM注册ID为公司的服务器上，就像真正的应用程序做

Attacker creates his own app, bakes in Company's sender ID and server registration interface, puts app in the store. The attack app basically impersonates Company's real app as far as GCM goes: it registers to receive messages from Company's sender ID and then sends its GCM registration ID to Company's servers just like the "real" app does.

现在公司要播放一些信息的应用程序的所有实例。也许这是一个提醒不是有可用的更新。有没有什么办法来区分攻击程序，从实版本的公司的应用程序中（其中注册就像真实的）？

Now Company wants to broadcast some information to all instances of its app. Maybe it's a reminder than an update is available. Is there any way to differentiate the "attack app" (which registered just like the real one) from "real" versions of the Company's app?

推荐答案

同样的问题也一直存在与C2DM，你可以嗅出，而不是项目的ID发送者的电子邮件地址，GCM。

The same problem could also have existed with C2DM, which you can sniff the sender email address, instead of project ID for GCM.

C2DM或GCM，不应该被用来发送敏感的用户信息（如账户名称，私人信息等），它主要用于通知有用的，它真正的应用程序可以使用它来进行进一步的行动。

C2DM or GCM, should never be used to send sensitive user information (i.e. account name, private information, etc), it's mainly useful for notification, which the real app can use it to perform further actions.

我看不出有用的通知可以是一个假/黑客的应用程序，什么是他们打算怎么做'你有新邮件通知？

I can't see how useful a notification can be to a 'fake/hack' app, what are they going to do with 'You have new message' notification?