How is a push notification device token tied to the device?

Question

Created Mar ’16

Replies 1

Boosts 0

Views 4k

Participants 2

On the subject of the Apple Push Notification Service (APNS) and according to the iOS developer documentation here:

https://developer.apple.com/library/mac/documentation/NetworkingInternet/Conceptual/RemoteNotificationsPG/Chapters/ApplePushService.html

'The device token you provide to the server is analogous to a phone number; it contains information that enables APNs to locate the device on which your client app is installed. APNs also uses it to authenticate the routing of a notification.'

Is a device token guaranteed to be tied to actual iOS hardware? If so, how is this guaranteed?

Searching the iOS security guide sheds little light on this subject: https://www.apple.com/business/docs/iOS_Security_Guide.pdf

For security reasons, I need to be able to guarantee that a push notification can only be received by real iOS devices.

Any information on this would be most appreciated.

Kind Regards,

D L

Boost

Answer 1

jonchambers OP

Mar ’16

The same document also says:

Token trust ensures that notifications are routed only between legitimate start and end points. Token trust involves the use of a device token, which is an opaque identifier assigned to a specific app on a specific device. Each app instance receives its unique token when it registers with APNs and must share this token with its provider. Thereafter, the token must accompany each notification sent by your provider. Providing the token ensures that the notification is delivered only to the app/device combination for which it is intended.

If that doesn't answer your question, can you be more specific about what you view as a security threat?

1