1

After I published my app to the google play console. The google play support warns me that they found

security vulnerabilities for users

Leaked GCP FCM Server Keys

Your app(s) expose FCM server keys.

To address this issue, follow the steps in this Google Help Center article.

com.example.mypackagename.FcmNotificationsSender. AAAA0grk2WQ:APA91bGNcZOBZDFe16892r_c-.....2HMowk2VyaBWN_62b

Actually, I am trying to send notifications from one device to another through FCM into my app like messaging applications do. for that, I am using legacy FCM API. And I included the FCM server key directly to my app to send notifications between devices, which is not a good idea As written in Google Help Center article.

so, how I can fix expose FCM server keys? or if FCM does not support push notifications through devices directly then what is the best way to send notifications directly? Thanks!

Frank van Puffelen
  • 565,676
  • 79
  • 828
  • 807
Abhay Kumar Tiwari
  • 31
  • 4
  • 1
    *firebaser here* Sorry to hear about the security scare. Calls to the FCM REST API require that you specify the FCM *server** key in your code. As its name implies, this key should only be used in server-side code, or in an otherwise trusted environment. The reason for this is that anyone who has the FCM server key can send whatever message they want to all of your users. By including this key in your Android app, a malicious user can find it and you're putting your users at risk. See https://stackoverflow.com/a/37993724 for a better solution. – Frank van Puffelen Jul 27 '22 at 03:52
  • The only solution is to implement an architecture like outlined there (and in the documentation), revoke/delete your existing FCM key , and start sending message with a new key that is only used in trusted environments. – Frank van Puffelen Jul 27 '22 at 03:54
  • @Frank van Puffelen Can i add the server key into firebase real time database instead of my code and request it only when I need? – Abhay Kumar Tiwari Jul 27 '22 at 05:01
  • Technically that is possible, but it leaves the same security risk as a malicious user can make the same call to the database or find the value in the running app. As said in my linked answer: securely sending messages through FCM is only possible from a trusted environment. – Frank van Puffelen Jul 27 '22 at 14:08

0 Answers0