Firebase messaging without server XMPP server - Proposal

Question

I know this question has been asked too many times. But I have something to propose and need to know if it makes sense.

I am already using Firebase database. All I need a server is to make a POST call to Firebase messaging. But what if the app makes the same POST call? Now I understand that there is a security risk aligned with this model. Apps can be decompiled and the server key can be extracted. But as I am already using Firebase database, what if I keep the key in my database and request when I need it.

Please let me know if this sounds good or does it have any drawbacks other than one increased call to my database.

Answer 1

The only way to keep your FCM server key secure, is to not expose it to devices of untrusted clients.

If you store the FCM server key in the database, you'll need to store it in a place that is somehow accessible to the users of your app who you want to allow to send FCM messages.

If the FCM server key is accessible to those users, they can take the key and abuse it. If you only allow access to this value to a tiny subset of your users, you'll have reduced the risk to that smaller group of users. And if those are untrusted clients, then your still exposing the key to untrusted clients.

So you're adding a layer of indirection, but I would not consider it a lot more secure.