Hacker News new | past | comments | ask | show | jobs | submit login
IPhone Devs, don't put your private keys for push notification in your webroot (google.com)
117 points by ssclafani on March 11, 2011 | hide | past | favorite | 18 comments



I'm glad that doing it this way has never, ever occurred to me. Would you publish your private ssh key?


That is a good question: https://encrypted.google.com/search?sourceid=chrome&ie=U...


I just made encrypted.google.com my default search.


Fun fact: SSL sites don't send referer headers, so sites can't sniff your search keywords.


Unfortunate bug: if you hit encrypted.google.com on an iPhone, you're redirected to the unencrypted mobile version of the site... Not good!


https://www.google.com/m works, it looks like.


Hat tip to Billy Rios https://twitter.com/#!/XSSniper/status/46292790933590017


Fun fact: every single URL on the first page of results also has Apache directory listing enabled.


I expect that is why they are indexed - they aren't exactly going to link to their private key from another page.


Ah, good point.


Wait. Does that mean I could send messages to all users using the app which is paired to this key? Hopefully no-one finds this out :/


If you get the device tokens too, possibly. Unfortunately it looks like some of these are ALSO exposed. Argh.

http://developer.apple.com/library/ios/documentation/Network...


No - each user is assigned a token that you would also need to use in combination with the private key.


You could get all of the feedback pending for that key, as well, which would expose tokens, and potentially disrupt service.


What does having these keys allow?


A UIApplication method (registerForRemoteNotificationTypes:) negotiates with apples servers using device information to obtain a 32-byte push token unique to a given device/app pair. It is likely based on the device's global id (UDID) and the application's appid and certificates. Someone should figure out the exact network handshake.

Any app developer is capable of collecting UDIDs using their released apps (the UDID is constant and visible across all apps). Note, having the UDID does not necessarily mean you can obtain the push token. But you may be able to derive the push token from it and from information contained in the app.

Assuming you could figure out someone's push token, you could to cause a push to show up in the name of the app whose certificate/key you've obtained!


> 32-byte push token unique to a given device/app pair. It is likely based on the device's global id (UDID) and the application's appid and certificates.

This isn't quite correct, the device token is not unique per app, it's unique per device. (Technically, a device will have two tokens, one for the APNS sandbox, and the second for production.)

The device token can't be derived by mere mortals, it is a cryptographic identifier returned from APNS to the device.


Unfortunately, by a bit of digging I was able to reveal some actual push tokens. I could now send messages to an app that is not mine!




Consider applying for YC's first-ever Fall batch! Applications are open till Aug 27.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: