Scenario: Suppose by reverse engineering a .apk file, an attacker obtains the SENDER ID for Push Registration Service used in an App. The attacker develops a similar fake application which has same/different package name and has been uploaded on a different app store than Google Play.
My question: Can he/she use the same SENDER ID with the app? What are the implications of that for the user who installs that fake application?
Related Questions: google cloud messaging security question seems to be a bit similar. Also answer of Android GCM: same sender id for more application question provides valuable information. Reading both the accepted answers the conclusion seems to be that it is absolutely possible and that's why it is recommended not to have sensitive data in Push Messages.
But that doesn't seem to be the solution to the problem. I am unable to understand the effect of the above security lapse.
See Question&Answers more detail:os
