3

As part of our solution, we want to deploy an FCM "app server" at each of our customer sites. Each customer site has their own users with their own devices using our app. However, we want to make sure that if one of the customer sites is compromised, an attacker could not abuse the FCM "app server" (e.g. by sending notifications to all devices at all customer sites).

Instead of sharing credentials between all customer sites, we are thinking of generating a unique server key for each customer site. That way if one customer site is compromised, we can disable that server key and stop any more FCM notifications from being sent.

Question: Can we be sure that an attacker cannot send global notifications to all devices?

  • Assuming an attacker has a server key and access to one customer site "app-server", can they get a list of all the registered devices?
  • Is there a default notification "topic" that is sent to all devices? (e.g. /topic/all or /topic/global). If so, can we disable that default topic?
Idris Lokhandwala
  • 103
  • 2
  • 14
user1727021
  • 100
  • 8
  • What do you mean by "server key" and how would it be used with FCM? – camden_kid Apr 20 '17 at 16:02
  • The server-key is used to by the "app server" to authenticate with the FCM connection servers. Here are more details: https://firebase.google.com/docs/cloud-messaging/server – user1727021 Apr 20 '17 at 16:19
  • 1
    I thought that was what you meant but how is it possible to have multiple server keys for one Firebase account? From what I understand there is only one. – camden_kid Apr 20 '17 at 16:28
  • It's odd that I've seen that stated too. However, we can definitely add multiple server keys. Here are the steps: **1.** Go to Firebase Console https://console.firebase.google.com **2.** Click on the gear icon on the top left corner **3.** Click on "Project Settings" **4.** Click on the "Cloud Messaging" tab **5.** Notice that under the first section "Project credentials" there is a big blue button on the right "Add Server Key" This seems to do the trick, or perhaps there is something I am misinterpreting about the function or interaction of multiple server keys. – user1727021 Apr 20 '17 at 16:33
  • Interesting... Does it work? – camden_kid Apr 20 '17 at 16:42
  • I haven't tried it yet, but there is no distinguishable difference between the generated server keys (also called "server tokens" when I go to delete one). I just found in the documentation that each (customer site) "app server" should have a different _sender id_ **and** _server key_. However, according to the documentation [Receiving messages from multiple senders](https://firebase.google.com/docs/cloud-messaging/concept-options#receiving-messages-from-multiple-senders) there is a limit of 100 senders, which is not acceptable for us. – user1727021 Apr 20 '17 at 16:49
  • Let us [continue this discussion in chat](http://chat.stackoverflow.com/rooms/142201/discussion-between-user1727021-and-camden-kid). – user1727021 Apr 20 '17 at 16:51

2 Answers2

2

Instead of sharing credentials between all customer sites, we are thinking of generating a unique server key for each customer site. That way if one customer site is compromised, we can disable that server key and stop any more FCM notifications from being sent.

If by "we are thinking of generating a unique server key for each customer site" you mean that you'll simply create a Firebase Project for each customer site, then I think this is the correct approach.

Can we be sure that an attacker cannot send global notifications to all devices?

An app can receive messages from a different Sender by implementing the getToken(authorizedEntity, scope) which will generate a different token for each Sender. In order to negate this action, you could simply call deleteToken(authorizedEntity, scope) (my reference).

This would invalidate the token for that corresponding sender (which is what they probably have and should be the only one on their App Server), which would automatically disable them for receiving messages to your App.

So as long as you're able to remove them as a valid sender from your app, then it's all good.

Assuming an attacker has a server key and access to one customer site "app-server", can they get a list of all the registered devices?

This depends on how the App Server is implemented. If the customer's App server is only used for sending messages, but the tokens are stored elsewhere, then probably no. There is no API to retrieve registration tokens on the server side for an App based on the Server Key (see #1 here).

Is there a default notification "topic" that sends to all devices? (e.g. /topic/all or /topic/global). If so, can we disable that default topic?

There isn't. There is the option to send a Notification to a specific app via the Firebase Notifications Console, but if the app doesn't authorize the Sender ID corresponding to that project, it won't receive any messages from it. I've tested this behavior out before posting, so I'm positive that this is how it works.

Community
  • 1
  • 1
AL.
  • 36,815
  • 10
  • 142
  • 281
  • Re: "...create a Firebase Project for each customer site"... We weren't actually planning on doing this. We are able to create multiple server keys for the same sender id, so we planned on generating a one server key for each customer using the same project. What would be the benefit of setting up a new Firebase Project for each customer? Would we have to create a new Firebase Account for each customer or just create a new Firebase Project within the same Firebase account? – user1727021 Apr 21 '17 at 14:23
  • Answering part of my own question: yes, I can create multiple projects for the same app. Still wondering why this is beneficial over generating multiple server keys for multiple customers under the same project @AL. – user1727021 Apr 21 '17 at 15:36
  • 1
    Having a separate project for each client would also give them the option of sending their own messages from the Notifications Console via their own account (if they decide to create their project to be on a separate account). The multiple Server Keys could work, but there might be a possibility of a *mix-up* with the Server Keys. In that scenario, wouldn't specifically disabling a project sender be easier? A *mix-up* in the senders is also possible, but it's easier to identify since each project is named in the console. Nonetheless, the implementation would be your choice. Cheers! – AL. Apr 21 '17 at 23:08
0

There is no way to restrict a server key to only allow certain topics/devices/etc.

I would consider using Cloud Functions for Firebase to solve this a different way. You could build an HTTPS function that took per-site authorization tokens (by any means you deem fit) and then that function calls through to Firebase Cloud Messaging to actually send the push notifications.

This way, you have complete control over what kinds of push notifications can be sent by the "client" sites, and you don't have to worry about cascading security problems in the event a client site gets compromised.

Michael Bleigh
  • 25,334
  • 2
  • 79
  • 85