Should APNS Tokens be encrypted?

2018-06-20 13:15:05

So, I was wondering, since users send their APNS tokens to the APNS provider in order to receive push notifications, should the tokens be encrypted? Is SSL necessary?

From what I figure is that there is no real sensitive data in the token. If someone actually managed to sniff the token from a user, he still would have to obtain my push certificate. And if he managed to do that (he won't ;-)) all he could do is send spam notifications to this particular user. Is that correct? Or did I miss something?

Also, I assume that it's not possible to identify a device (or more importantly, its user) based on an APNS token?

So, I want to assure that, if someone sniffs a push notification registration from one of my clients (the registration contains the APNS token and the information the user is interested in, and the connection is unencryped so everything is readable in plain text) ...

he still has to obtain my push certificate to be able to bother my client in any way

he knows that someone is interested in this information, but has no way to identify who my client is

Can I rest assured? Thanks in advance!

SSL is almost never a BAD idea. Lack of SSL means your users will be susceptible to all sorts of nastiness like DNS poisoning, man in the middle, or sniffing.

Maybe you're worried about the cost of an SSL cert, or the overhead on your servers? I don't know - but I'm just sayin' - probably worth considering if you're getting paid to provide some service or are collecting personally identifiable information.

Otherwise your points in the post were pretty much right on. The fact is someone would need your push certificate to send out those messages to those users.

Also, I assume that it's not possible to identify a device (or more importantly, its user) based on an APNS token?

Prior to iOS 5, that ID was consistent across all apps - so aggregate stats companies were able to use the ID to identify a specific user somewhat... at least to know "this is the same person". But that changed recently, and it's now a random per-app ID.

链接地址: http://www.djcxy.com/p/57788.html

上一篇: 如何在使用Capistrano进行部署时升级Wordpress和插件？

下一篇: APNS令牌是否应该加密？