Android Server Data Encryption

The VMP Server needs to authenticate itself with the GCM. This is done via an authentication token that is determined with an HTTP POST request to the GCM servers.

The token is stored on the VMP Server and is used to authenticate the application server with the GCM servers once it sends out data. In a GCM, you have three involved parties: the VMP Server that wants to push messages to the Android device, the Google GCM servers, and the Vocera Collaboration Suite client application.

For the server to send a message, the application must have a registration ID that allows it to receive messages for a particular device. The registration keys are securely stored within the SQL database.

The ClientLogin token authorizes the server to send encrypted data to the client application on the Android device. The server has one ClientLogin token and multiple registration IDs. Each registration ID represents a particular device that has registered to use the messaging service for Vocera Collaboration Suite.

When the VMP Server sends data, the following occurs:

  1. The VMP Server sends data to the GCM servers.
  2. Google queues and stores the message in case the device is inactive.
  3. When the device is online, Google sends the message to the device.
  4. On the device, the system broadcasts the message to the specified application via Intent broadcast with proper permissions, so that only the targeted application gets the message. This wakes the application up. The application does not need to be running beforehand to receive the message.
  5. The application processes the secure data.

This is the sequence of events that occurs when an Android application running on a mobile device receives a message:

  1. The system receives the incoming message and extracts the raw key/value pairs from the message payload.
  2. The system passes the key/value pairs to Vocera Collaboration Suite.
  3. The Android application extracts the raw data from the RECEIVE Intent by key and processes the data.