2

Since Google forbids new Huawei devices from using GMS, Huawei mobile phone users of my app often complain that they can't receive notification messages. So I recently started using HUAWEI Push Kit. The integration process is smooth. I have finished the integration and released my app on HUAWEI AppGallery. The users can now receive notification messages.

But now I've found the following problem relating to push data:

With FCM, I can use BigQuery to further analyze message push data, such as the number of sent messages and the number of received messages. For example, I can execute the following statement to collect statistical data on the number of sent messages by app:

SELECT app_name, COUNT(1)
FROM `project ID.firebase_messaging.data`
WHERE
_PARTITIONTIME = TIMESTAMP('date as YYYY-MM-DD')
AND event = 'MESSAGE_ACCEPTED'
AND message_id! =''
GROUP BY 1;

I read the HUAWEI Push Kit documents but did not find a function similar to BigQuery.

However, I found the message receipt, which can also be used for collecting statistical data. Therefore, I developed a receipt API and configured it on the Push Kit console. After testing, I can now receive the push data.

Now, when I plan to release my app, I need to verify the caller because the message receipt API is publicly available on the public network. How can I verify the caller to prevent malicious API calling?

zhangxaochen
  • 32,744
  • 15
  • 77
  • 108
bigface
  • 78
  • 5
  • 1
    I assume we're talking about this: https://developer.huawei.com/consumer/en/doc/development/HMS-Guides/push-receipt. If I understand correctly it's the Huawei servers that communicate with your receipt API. You can just restrict all callers except those coming from Huawei domain. – m0skit0 Jun 23 '20 at 08:32
  • Do you have some related info about FCM BigQuery and HUAWEI Push Kit message receipt? –  Jun 24 '20 at 08:28
  • 3
    @LilaGreco please kindly refer to this article, [link](https://forum.xda-developers.com/android/huawei-developers/obtaining-data-android-devices-google-t4124403 ) – bigface Jul 01 '20 at 12:17

1 Answers1

2

HUAWEI Push Kit's message receipt function allows user names and passwords to be set for identity verification. You can use this function to prevent malicious API calls. The process is as follows:

  1. Set the user name and password when configuring the message receipt on the HUAWEI Push Kit console.
  2. When Huawei calls your receipt API, the X-HUAWEI-CALLBACK-ID parameter is added to the HTTP header. The parameter value consists of the following parts:

a. timestamp: UTC timestamp of the system.

b. nonce: random UUID.

c. value: string finally obtained after the to-be-encrypted string (consisting of the value of timestamp, value of nonce, and callback user name) is encrypted using the set password in HMAC-SHA256 algorithm and then encoded using Base64.

For example:

timestamp=1563105451261;nonce=a07bfa17-6d82-4b53-a9a2-07cfef5ceef1;value=E4YeOsnMtHZ6592U8B9S37238E+Hwtjfrmpf8AQXF+c=
  1. When receiving a request, the receipt API can obtain the value of X-HUAWEI-CALLBACK-ID in the HTTP header to check whether the caller is valid.

For more information, visit Message Receipt

zhangxaochen
  • 32,744
  • 15
  • 77
  • 108
  • How does this prevent an attacker from including this same header in his request? I don't see any information about user and password in what you described. – m0skit0 Jun 23 '20 at 14:02
  • 1
    @m0skit0 OK. I added info about password. – zhangxaochen Jun 24 '20 at 02:56
  • Thanks! However this information is not stated on the docs you linked, do you have a link to this? – m0skit0 Jun 24 '20 at 07:20
  • https://developer.huawei.com/consumer/en/doc/HMSCore-References/https-send-receipt-api-0000001051066120#section18743155123919 @m0skit0 – Hunter Sep 22 '21 at 12:30