Bit of a niche question really. When I say “securely”, I don’t mean SSL.
Basically I’ve been working on adding C2DM push messaging to my app, and on my test bed, this all works fine and notifications are received. I was following this guide:
http://blog.mediarain.com/2011/03/simple-google-android-c2dm-tutorial-push-notifications-for-android/
Now I’m all fine with that and I fully understand it, my problem is the passing of the device’s unique ID to my web server which is forwarding the messages. Say for example that in order to add the device ID to my database of IDs to message, it makes a call like so:
http://www.example.com/add_id?id=unique_id_here
Which inserts that ID into my database, adding it to the list of devices I have available to push messages to, what’s to stop someone just visiting that URL and filling my database with crap by submitting fake IDs? Is there any way I can verify the data I’m receiving there, or verify the connection is coming from my app?
Note This is now edited for a much more obvious answer; my original answer is at the end, in case anyone finds the ideas useful
This is actually pretty simple. Send the message as a POST, and provide some form of digital signature with it. This could be as simple as an MD5 hash of the (message+secret). When you receive the POST, perform the same hash, and if the hashes match:
Sadly #2 is impossible to rule out completely, all you can do is obfusticate code to raise the bar, and monitor the server for suspicious activity.
The old answer
In principal nothing; networks & handset manufacturers generally make sure a specific device doesn’t send identifying headers, because of privacy concerns and laws. Even if these were present, they could be faked.
You’ll need to authenticate a client somehow. This can be done in one of several ways:
I’m assuming the fake data is only an issue if it’s associated with the wrong device, and someone corrupting their own data is odd, but not problematic.