The Telerik Platform product is retired.Learn more

Security of Push Notifications

Security of Push Notifications

You can think of push notifications security in terms of device registrations, push notifications records, and sending control. The former two are subject to the Telerik Platform security model and cannot be changed but you can control who can send push notifications.

Device Registrations Security

A device registration describes a single device that has been registered for push notifications in your Telerik Platform application. The object that represents the registration contains required system properties such as push token, device model, operating system type, time zone, etc. as well as custom parameters that you have added during registration.

Due to the nature of how push notifications work, everyone is allowed to register a device (create a device registration) for push notifications without authorization. As for reading, modifying, and deleting, a device registration can only be manipulated from the same hardware ID that registered the device or by using the app's master key.

Push Notifications Records Security

Each push notification that you send from Telerik Platform is stored in your backend. Access to these records, including to unsent push notifications, is limited to using the master key. The only exception is sending (creating) push notifications.

More information can be found in the respective Administration API section.

Sending Control

Push notifications can be sent by you to devices or by a device user to other device users. In the latter case, it is important that sending is a subject to proper authorization.

Take these steps to control who is allowed to send push notifications from user devices:

  1. Log in to the Telerik Platform portal.
  2. Click your app.
  3. Navigate to Notifications > Push Notifications > Permissions.
  4. Set the Client Push Notifications setting as described in the next table.
Value Description
Allow Push notifications originating from a user device are allowed. Anyone can send push notifications to all registered devices. No authorization is required. This setting is only recommended for testing. It enables anyone who knows your App ID to send push notifications to all registered devices.
Limit Push notifications originating from a user device can only be sent using a filter that employs an $eq or $in selector acting on at least one of the Id, HardwareId, or UserId fields. Additional filter criteria are allowed. This is the default value for new apps.
Deny Push notifications originating from a user device are disabled. You can send push notification using master key authentication only.

The recommended way of sending push notifications is to keep the setting to Limit or Deny and use the master key to send from Cloud Code.

You can implement more granular control through a Cloud Function that sends push notifications. In this case, set Client Push Notifications to Deny and then set the Cloud Function's permissions according to what you want to achieve.

Limit examples:

Single criterion:

Filter: {"HardwareId": {"$eq":"BF807B53-0995-4933-A1B1-9AA31128E8DA"}}
Filter: {"UserId": {"$eq":"c473ea73-f7c0-11e4-87db-713680c9d2da"}}

Additional criterion:

Filter: {"HardwareId": {"$eq":"BF807B53-0995-4933-A1B1-9AA31128E8DA"}, "PlatformType": 4}

See Also

Contact us: +1-888-365-2779
Copyright © 2016-2018, Progress Software Corporation and/or its subsidiaries or affiliates. All rights reserved.