What are consequences of having GCM SENDER ID being exposed?

Question

Scenario: Suppose by reverse engineering a .apk file, an attacker obtains the SENDER ID for Push Registration Service used in an A

Answer 1

They will not be able to use your GCM Sender ID to publish notifications.

Remember that when you obtained the Sender ID, you have to also submit your application's package name and your release signing key's SHA-1 signature. That signature is bound to the GCM Sender ID so that only applications signed by your release key are able to register and receive GCM notifications.

Google Play will also not allow apps with duplicate package name to be published, so nobody can create a fake app with your package name that is already in the Play store.

However, nothing is 100% secured. I presume a hacker could also figure out your SHA-1 signing key and hack the APK in such a way to fool the system to think the app is signed by your release key. I have seen apps are 'cracked' this way to circumvent Android licensing library. This could potentially fool GCM server to think the fake app is authorized to receive GCM messages. However, the 'cracked' apps are still not allowed to be published to Google Play, so the risk of legitimate users getting it is quite small.