0

For a little project I want to send push notifications directly from the app (without a backend).

As I read from the FCM documentation while this is technically possible with a simple HTTP POST request it's discouraged because in this way I have to hard-code the server key that will become easily retrievable with a little of reverse engineering.

So I though to add my server key in the Firebase remote configuration and use that.

What do you think? Are there some contraindications?

Thank you very much.

AL.
  • 36,815
  • 10
  • 142
  • 281
Gnammo
  • 255
  • 2
  • 8

1 Answers1

2

Storing the key in Firebase Remote Config doesn't make the approach secure. After all: the app still needs to be able to access the key and thus remote config.

Any solution that uses the server key in the client-side code is susceptible to abuse.

Frank van Puffelen
  • 565,676
  • 79
  • 828
  • 807
  • Hi Frank, thanks for the clear explanation. Do you have any suggestions to handle the authentication on my simple server in order to avoid non-authorized push sent? – Gnammo Mar 07 '17 at 11:41