How can I prevent users from maliciously calling HUAWEI Push Kit's message receipt function API when I use the function?

2
votes

Since Google forbids new Huawei devices from using GMS, Huawei mobile phone users of my app often complain that they can't receive notification messages. So I recently started using HUAWEI Push Kit. The integration process is smooth. I have finished the integration and released my app on HUAWEI AppGallery. The users can now receive notification messages.

But now I've found the following problem relating to push data:

With FCM, I can use BigQuery to further analyze message push data, such as the number of sent messages and the number of received messages. For example, I can execute the following statement to collect statistical data on the number of sent messages by app:

SELECT app_name, COUNT(1)
FROM `project ID.firebase_messaging.data`
WHERE
_PARTITIONTIME = TIMESTAMP('date as YYYY-MM-DD')
AND event = 'MESSAGE_ACCEPTED'
AND message_id! =''
GROUP BY 1;

I read the HUAWEI Push Kit documents but did not find a function similar to BigQuery.

However, I found the message receipt, which can also be used for collecting statistical data. Therefore, I developed a receipt API and configured it on the Push Kit console. After testing, I can now receive the push data.

Now, when I plan to release my app, I need to verify the caller because the message receipt API is publicly available on the public network. How can I verify the caller to prevent malicious API calling?

1
push-notificationhuawei-mobile-serviceshuawei-push-notification
I assume we're talking about this: developer.huawei.com/consumer/en/doc/development/HMS-Guides/…. If I understand correctly it's the Huawei servers that communicate with your receipt API. You can just restrict all callers except those coming from Huawei domain.m0skit0
Do you have some related info about FCM BigQuery and HUAWEI Push Kit message receipt?user13319119
@LilaGreco please kindly refer to this article, [link](forum.xda-developers.com/android/huawei-developers/… )bigface

1 Answers

2
votes

HUAWEI Push Kit's message receipt function allows user names and passwords to be set for identity verification. You can use this function to prevent malicious API calls. The process is as follows:

  1. Set the user name and password when configuring the message receipt on the HUAWEI Push Kit console.
  2. When Huawei calls your receipt API, the X-HUAWEI-CALLBACK-ID parameter is added to the HTTP header. The parameter value consists of the following parts:

a. timestamp: UTC timestamp of the system.

b. nonce: random UUID.

c. value: string finally obtained after the to-be-encrypted string (consisting of the value of timestamp, value of nonce, and callback user name) is encrypted using the set password in HMAC-SHA256 algorithm and then encoded using Base64.

For example:

timestamp=1563105451261;nonce=a07bfa17-6d82-4b53-a9a2-07cfef5ceef1;value=E4YeOsnMtHZ6592U8B9S37238E+Hwtjfrmpf8AQXF+c=
  1. When receiving a request, the receipt API can obtain the value of X-HUAWEI-CALLBACK-ID in the HTTP header to check whether the caller is valid.

For more information, visit Message Receipt