How secure is Google Cloud Messaging channel between the device and the GCM servers?

Question

What is the identification and authentication mechanism GCM uses for devices, especially given Google doesn't require any Google account configured on the device starting from Android 4.0.4 for GCM notifications to work. How does this mechanism prevent GCM session hijack?

That is, how can the authentication mechanism prevent rouge applications from reading data on a device (a. On rooted devices, b. On non rooted devices) and use that information from a different computer to establish a session with GCM server and receive push notifications intended for the original device?

Also, are there any known vulnerabilities?

Answer 1

The network transport for GCM hasn't been publicly documented. That said, here's the parts that are publicly documented...

In general, GCM messages are received by a dedicated service and then forwarded to individual applications. This service is responsible for communicating with (and authenticating to) Google's servers. Since all communication goes through this service, applications never have direct access to the GCM transport. Also, the application sandbox prevents apps on non-rooted devices from accessing memory or files owned by other packages.

Rooted devices are more complicated. In general, I recommend against rooting devices, since it breaks part of Android's security model. An app with root privileges would be able to read files or memory from any other app. Many community developed Android distributions include additional protections (like the Superuser utility) that help manage which apps can obtain root privileges, to help prevent these kinds of attacks.

I'm not aware of any attacks directly on the GCM protocol.