1

I have an Android app set up to receive FCM push notifications. The app registers with my server with the FCM token. My idea is to prove that the token comes from my app by sending a push notification to the token. It will only arrive at my app, right?

I am wondering if a bad actor could extract the FCM secrets (configured with google-services.json) from my app, make an app with my package name, and trick people into installing it on their device. When the malicious app registers to my server, I suspect that I can't tell if it's coming from the right app. I also suspect the if I send a push notification to the token, it will be sent without errors. Am I correct?

Any help here is much appreciated.

Nikolaj
  • 25
  • 5
  • in fact the only app which reads message is google service ... it checking package name AND KEY used to sign the app ... and then send message to this app (if both are what it expects)... so if malicious app will not be signed with the same key as your app it will not recive the message .... more over malicious app cannot get right token from google service as it's not signed with right key – Selvin Oct 06 '21 at 11:29

1 Answers1

0

There are no secrets from google-services.json that get embedded in your app. See my answer here: Is it safe to expose Firebase apiKey to the public?

With the information in google-services.json all you can do is receive messages, you won't be able to send them with just that information.

To send messages to a user you also need to specify the FCM server key when calling the API (or provide credentials otherwise that prove you're an authorized collaborator on the project). This information is not available in the google-services.json and should never be used in the client-facing application code.

Frank van Puffelen
  • 565,676
  • 79
  • 828
  • 807