Why is it bad practice to use an FCM Server Key on a Flutter/Android client?

flutter security dart server firebase-cloud-messaging

311

In general and not only regarding your specific question regarding FCM keys only, your code within the APK isn't normally visible to your average users. But your APK code is definitely not safe from whomever tries hard enough to find it and reverse engineer it.

Almost nothing is impossible to reverse engineer. I used 'almost' because I can't confirm and say 'everything'.

FCM is free, but it's not about the money. Imagine somebody has your token and can send messages on your behalf to anybody else of your users?

Emails are free to use in general, however, would you mind sharing it with anybody else?

311

Author by

Meggy

Updated on December 28, 2022

Comments

Meggy over 1 year
I'd like to send messages from my Flutter app using my Firebase Cloud Messaging (FCM) server key. But I'm told this is bad practice and should be done on the server-side. But as the code within APKs are invisible to users why is it a security problem?
```
void send() async {
    await http.post(
      'https://fcm.googleapis.com/fcm/send',
      headers: <String, String>{
        'Content-Type': 'application/json',
        'Authorization': 'key=$serverToken',
      },
      body: jsonEncode(
        <String, dynamic>{
          'notification': <String, dynamic>{
            'body': 'This is a body',
            'title': 'Banana'
          },
          'priority': 'high',
          'data': <String, dynamic>{
            'audioid': '139',
            'title': 'done all over time',
            'name': 'Greengirl'
          },          
          'to': '/topics/test_fcm_topic',
        },
      ),
    );
  }
```
- Huthaifa Muayyad about 3 years
  
  In general and not only regarding your specific question regarding FCM keys only, your code within the APK isn't normally visible to your average users. But your APK code is definitely not safe from whomever tries hard enough to find it and reverse engineer it.
- Meggy about 3 years
  
  Wow! That's great to know. I would've thought it would be impossible to reverse engineer but this changes the game.
- Huthaifa Muayyad about 3 years
  
  Almost nothing is impossible to reverse engineer. I used 'almost' because I can't confirm and say 'everything'.
- Huthaifa Muayyad about 3 years
  
  Not for the money, but imagine somebody has your token and can send messages on your behalf to anybody else of your users? Emails are free to use, would you mind sharing it with anybody else?
- Meggy about 3 years
  
  GREAT point! I'm convinced.
- Meggy about 3 years
  
  Can you post this as an answer so I can select it and give you the points?
- Huthaifa Muayyad about 3 years
  
  Let us continue this discussion in chat.
- Ammar Mohamed almost 2 years
  
  How to obtain the server key? I am trying to implement this in my app (I don't mind using the server key in the app)
Meggy about 3 years

At the moment FCM messages are free so I don't know why anybody would want to steal mine. But I'm guessing it may not remain free forever...