I'm making a notification submission process in android studio and I know it's not safe to leave the Firebase Cloud Messaging Server Key in the source code directly, so would it be safe if I put the key directly through the Realtime Database dashboard into a node and retrieve the key from the source code using valueSingleEventListener every time I send a notification?
Asked
Active
Viewed 1,249 times
1 Answers
0
No. While loading the key dynamically is marginally more secure than storing the key in the application code itself, it's still no barrier for a malicious user. It's really quite simple: to securely send messages from one device to another device with Firebase Cloud Messaging you'll need to run code in a trusted environment, such as your development machine, a server that you control, or Cloud Functions.
Also see:
- Retrieve the FCM server key from the Firebase remote configuration
- Firebase server key and sender id exposed to public
- Is FCM on the web secure without an app server?
- Firebase messaging without server XMPP server - Proposal
- Where should I store my FCM server key if not on client side for security? iOS?
Frank van Puffelen
- 565,676
- 79
- 828
- 807
-
But in case it would not be safe if the misguided person could find out my Firebase account email and password, right? Because if I only have the Firebase account password, only I can see the data from the database – jvoaojvictor Jun 29 '19 at 21:14
-
If someone gets your Google account credentials that you use to sign in to the Firebase console, then indeed they have access to all your data *including* the FCM server keys. The difference is that someone getting access to your Google account credentials is not a normal part of building an app, while sending the app to your users is a normal part of that. – Frank van Puffelen Jun 30 '19 at 04:28