Why is it bad practice to use an FCM Server Key on a Flutter/Android client?
In general and not only regarding your specific question regarding FCM keys only, your code within the APK isn't normally visible to your average users. But your APK code is definitely not safe from whomever tries hard enough to find it and reverse engineer it.
Almost nothing is impossible to reverse engineer. I used 'almost' because I can't confirm and say 'everything'.
FCM is free, but it's not about the money. Imagine somebody has your token and can send messages on your behalf to anybody else of your users?
Emails are free to use in general, however, would you mind sharing it with anybody else?
Meggy
Updated on December 28, 2022Comments
-
Meggy over 1 year
I'd like to send messages from my Flutter app using my Firebase Cloud Messaging (FCM) server key. But I'm told this is bad practice and should be done on the server-side. But as the code within APKs are invisible to users why is it a security problem?
void send() async { await http.post( 'https://fcm.googleapis.com/fcm/send', headers: <String, String>{ 'Content-Type': 'application/json', 'Authorization': 'key=$serverToken', }, body: jsonEncode( <String, dynamic>{ 'notification': <String, dynamic>{ 'body': 'This is a body', 'title': 'Banana' }, 'priority': 'high', 'data': <String, dynamic>{ 'audioid': '139', 'title': 'done all over time', 'name': 'Greengirl' }, 'to': '/topics/test_fcm_topic', }, ), ); }
-
Huthaifa Muayyad about 3 yearsIn general and not only regarding your specific question regarding FCM keys only, your code within the APK isn't normally visible to your average users. But your APK code is definitely not safe from whomever tries hard enough to find it and reverse engineer it.
-
Meggy about 3 yearsWow! That's great to know. I would've thought it would be impossible to reverse engineer but this changes the game.
-
Huthaifa Muayyad about 3 yearsAlmost nothing is impossible to reverse engineer. I used 'almost' because I can't confirm and say 'everything'.
-
Huthaifa Muayyad about 3 yearsNot for the money, but imagine somebody has your token and can send messages on your behalf to anybody else of your users? Emails are free to use, would you mind sharing it with anybody else?
-
Meggy about 3 yearsGREAT point! I'm convinced.
-
Meggy about 3 yearsCan you post this as an answer so I can select it and give you the points?
-
Huthaifa Muayyad about 3 yearsLet us continue this discussion in chat.
-
Ammar Mohamed almost 2 yearsHow to obtain the server key? I am trying to implement this in my app (I don't mind using the server key in the app)
-
-
Meggy about 3 yearsAt the moment FCM messages are free so I don't know why anybody would want to steal mine. But I'm guessing it may not remain free forever...