How to protect FCM service with permission or something

Question

I developed an android app with fcm implementation. After completion I done the app vulnerability testing and got the below result.

(com.app.MyFirebaseMessagingService) is not Protected. An intent-filter exists.

high

A Service is found to be shared with other apps on the device therefore leaving it accessible to any other application on the device. The presence of intent-filter indicates that the Service is explicitly exported.

Same result I got for the service MyFirebaseInstanceIDService. Below is my Manifest file code.

        <service android:name="com.app.MyFirebaseMessagingService">
            <intent-filter>
                <action android:name="com.google.firebase.MESSAGING_EVENT" />
            </intent-filter>
        </service>
        <service android:name="com.app.MyFirebaseInstanceIDService">
            <intent-filter>
                <action android:name="com.google.firebase.INSTANCE_ID_EVENT" />
            </intent-filter>
        </service>

Usually we will add a custom permission to protect a service from get accessed by other application. But how to do that for FCM service? or any other solution for this problem? Please help.

score 3 · Answer 1 · answered Jun 14 '17 at 12:44

3

you don't have to worry about firebase take care of the security side link

FirebaseInstanceIdService performs security checks at runtime, no need for explicit permissions despite exported="true"

answered Jun 14 '17 at 12:44

Oussema Aroua

5,225
1
24
44

How to protect FCM service with permission or something

1 Answers1