<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<div class="moz-cite-prefix">Hi Erik, thanks for answering so
quickly. I still have some gaps in my mind; I'm sure that is
because my inexperience in that area. Maybe I was wrong choosing
UPS for covering use case that was not designed for but I still
think (correct me if I'm wrong) that this scenario is possible:<br>
<br>
Our Learning Management System (LMS) Sakai distributes users into
"sites" corresponding to courses. Each student belong to many
sites. An instructor from a course can send announcements,
messages, upload resources, etc to a particular course site and
those are only visible to the members of the site. <br>
<br>
We would like to reproduce that behaviour with UPS. When a user
sends an announcement to site (and a checkbox is marked) it sends
the notification to the Messaging backend who automatically sends
the notification with an array of alias filled with the "username"
of members of that site. It helps to us to limit who receives a
notification from which site ... <br>
<br>
Our intention with our APP is to authenticate first, to be sure
that is an student of our university, so registration to the UPS
must be done when auth succeed (don't let anybody who downloaded
the app register to the UPS if don't belong to our institution).<br>
<br>
Any time, user can choose to disconnect his account from the APP,
so we developed that when user disconnects their account from the
APP it calls to unregister, because we don't want that the APP
receives more notifications. (Maybe that is our first mistake?)<br>
<br>
I'm not familiarized yet with iOS, we started with android but I
still see those security problems (I guess that is produced by my
inexperience). We are developing the APP using Ionic framework, so
we use cordova client to do operations. The way we are setting up
with a JSON where in the "android" <br>
config: {<br>
...<br>
...<br>
pushServerURL: "..."<br>
andorid: {<br>
senderID: "project id",<br>
variantID: "...",<br>
varaintSecret: "..."<br>
}<br>
}<br>
<br>
The way the hybrid technology stack is built makes very easy for a
user to connect the phone to a computer and see all the JS stuff
just using chrome utilities. So those values are exposed and can
be used to fake registration process. <br>
<br>
I don't know how the UPS protects from another app to use the same
projectID to register to the service (I'll dive deeper to be sure
I'm doing things well), but I can't imagine another way to
prevent that a user with our APP manipulate the calls to UPS with
other alias or categories, exposing the notifications created from
other LMS sites. I know that it's not a critical situation because
notifications should be not used to send sensitive data, but we
would like to prevent it in some way. <br>
<br>
Thanks,<br>
<br>
Alex.<br>
<br>
<br>
<br>
El 18/05/15 a les 14:47, Erik Jan de Wit ha escrit:<br>
</div>
<blockquote
cite="mid:CAO2B-fbL7j_gsj7oXhZpsqv74hKd9024M4o8W8gH6pMufZ5-UQ@mail.gmail.com"
type="cite">
<pre wrap="">The problem is that you don't want/need to call unregister in a normal
flow. Unregister is used for instance when a new version of you app
drops support for push notifications.
I don't get why you are proxy-ing the requests to UPS, because you
cannot have 2 applications receiving the same push notifications. On
iOS the bundle id makes sure of that, and on android there is the
unique project id. So even if a second app would register with UPS it
will not get the push notifications.
On Mon, May 18, 2015 at 2:12 PM, Alex Ballesté
<a class="moz-txt-link-rfc2396E" href="mailto:alexandre.balleste@udl.cat"><alexandre.balleste@udl.cat></a> wrote:
</pre>
<blockquote type="cite">
<pre wrap="">Hi, I'm developing a mobile app for android and ios for our University. It
will use AeroGear Unified Push Server to send notifications to students when
a new announcement is sent in our LMS.
We are developing the app with ionic framework and we are using the register
and unregister process through a custom backend service instead of direct
from device.
We use the cordova plugin and we call registers and unregister JS methods,
but we don't point to the push server endpoint, but backend server instead.
Once the Backend server gets the requests it creates a new request to Push
server providing variantSecret and variantID; the response received is sent
back to the app.
We would like to use this flow for security reasons. We want to avoid that
the users do their own apps and use those values to register and supply
alias to get users notifications. So backend handles the security (tokens,
deviceids, usernames, ... ) and if everything is ok then proxies then
backend generates a new request fullfilling alias and real authentication
parameters and the received parameters from app. We achieved the registation
and unregistration, but when unregistration process is done if we do a new
re-registration then we got a success response, but then notification didn't
arrive.
Has anybody did something similar to this approximation? Do you have any
advise or trick that would be useful for us?
Thanks in advance
Alex
--
Alexandre Ballesté Crevillén alexandre.balleste at udl.cat
====================
Universitat de Lleida
Àrea de sistemes d'Informació i Comunicacions
Analista/Programador
University of Lleida
Information and Communication Systems Service
Tlf: +34 973 702148
Fax: +34 973 702130
=====================
Avís legal/Aviso legal/Avertiment legal/Legal notice
_______________________________________________
Aerogear-users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Aerogear-users@lists.jboss.org">Aerogear-users@lists.jboss.org</a>
<a class="moz-txt-link-freetext" href="https://lists.jboss.org/mailman/listinfo/aerogear-users">https://lists.jboss.org/mailman/listinfo/aerogear-users</a>
</pre>
</blockquote>
<pre wrap="">
</pre>
</blockquote>
<br>
<br>
<div class="moz-signature">-- <br>
<p>Alexandre Ballesté Crevillén alexandre.balleste at udl.cat<br>
====================<br>
Universitat de Lleida<br>
</p>
<p>Àrea de sistemes d'Informació i Comunicacions</p>
<p>Analista/Programador</p>
<br>
<p>University of Lleida</p>
<p>Information and Communication Systems Service</p>
<br>
<p>Tlf: +34 973 702148</p>
<p>Fax: +34 973 702130</p>
<p>=====================</p>
<p>
<a href="http://www.imatge.udl.cat/avis_legal_lopd.html">Avís
legal/Aviso legal/Avertiment legal/Legal notice</a>
</p>
</div>
</body>
</html>