Exposed Firebase Cloud Messaging Server Keys - firebase-cloud-messaging

I had used fcm to send notification in my app using api.after some days google send this and removed my app from play store.please help me.
I have tried everywhere not getting exact answer.

Put FCM Key in untrusted environment is a security issue, Any hackers are possible to send message to any user by using FCM key.
FCM key shouldn't exists in your public app like downloaded to your instance, Store in local storage, Hardcode inside application etc.
FCM key should only exists in trusted environment like your server, cloud functions etc.
You can also see this Do I need to protect my firebase Server Key?.

Related

firebase admin is only available for admin or users also to send notification to other users?

Firebase admin is only available for admin or users also to send notification to other users?
Actually i am little bit confused in send notification from one user to another and which data is used like on the basis of user receiver uid or receiver fcm token.
firebaser here
Calls to the FCM API to send messages require that you specify the FCM server key in your code. As its name implies, this key should only be used in server-side code, or in an otherwise trusted environment. The reason for this is that anyone who has the FCM server key can send whatever message they want to all of your users.
So sending messages to users is indeed only possible from a trusted environment, either through the Admin SDK, or the REST APIs. See How to send one to one message using Firebase Messaging for more.

Server api key: migration doc vs migration video

The only change that the GCM -> FCM migration doc requires is changing the endpoint:
Update your server code to use new FCM endpoints for sending messages via HTTP and XMPP... Optionally, you may want to evaluate the FCM HTTP v1 API, which offers an improved security model and new capabilities for customizing messages across
But the video seems to tell a different story:
I'll need to update to a new more secure server key which I can get from the firebase console... download the service account credentials then I'll drag the JSON file into my project... replace the GCM API key with this service account key I'll update my HTTP header to use this access token...
Can we continue to use the GCM server api key when sending requests to the new FCM endpoint or do we "need to update to a more secure server key" obtained from the FCM console?
The GCM documentation you pointed out is kinda (not that much) old. It shows what needs to change when migrating from GCM to FCM Legacy. What Jen Person showed in the video is when you are to use FCM v1 (see the uri on 8:19).
Can we continue to use the GCM server api key when sending requests to the new FCM endpoint or do we "need to update to a more secure server key" obtained from the FCM console?
From my comment here (with minor updates):
Depending on which type of GCM API Key you were using (if this is a reeeaally old project, you might still be using a different type of Key), it may not work. Regardless, after you import your GCM project to Firebase, it would probably generate the necessary API Keys (Server Key for this matter) that you could (and should) use in order for FCM to work.

One XMPP connection for more than one GCM/FCM app

I have a bunch of FCM projects and I'd like to use the same XMPP connection to send messages for all those projects. The FCM docs say that each connection needs to authenticate with the app id and server key, meaning I can use one XMPP connection for one project only. Is there any way around this?
I'm not sure what the question is here. Just use the corresponding Sender ID and Server Key from your Firebase Project. However, do note of the connection limitation mentioned in the docs you linked:
For each sender ID, FCM allows 1000 connections in parallel.
I don't really see any issue here, so long as you're using the same Firebase Project for FCM on all of your apps, you're good to go.
Unfortunately, if you have multiple projects, the only workaround I can only see that you can do is for you to use only a single project for your FCM processes.

Google Cloud Messaging token

I'd like to know if each time my application runs I need to get the token and pass it to the server, or if it's only necessary once to register the application. Thanks a lot.
You need a token to register the GCM(push notification) to the Google Server. Then this token is passed and used in the server to send subsequent notification. This token should be persisted by the server so that it can be used to make API calls to the Google server. With this approach, your server and the Android device do not need to create a persistent connection and the responsibility of queuing and relaying messages is all handled by Google's servers.
For more information visit the Registering Client Apps and also check this documentation.

Firebase certificate authentication

I have no interest in authenticating my clients as they are.
I do, however, want to make sure that anyone reaching my FireBase is authorized. Namely, that it's only via my Android app.
Could it be done somehow? I couldn't find any option or alternative in FireBase documentation.
The best approach I see is to have my app signed by a certificate, and aithorize itself using it.
To authenticate your app, use FCM (but regretably, it requires a server code):
Create an anonymous firebase account.
send an FCM message to your server, with the firebase account uid.
the server will create a node such as /uids/$uid/enabled.
have a rule to require it, e.g.:
".read" : "root.child('uids').child(auth.uid).child('enabled').val() == true"
The reason for the FCM message, is that in order to send such a message, the app should be "registered", which means the developer's signing certificate for the app is known. anyone attempting to send such an FCM message and not through your app will fail - even if someone re-sign (and probably modify) your app.
The drawback is, of course, you need your server to receive FCMs - which is very easy on the device, but harder on the server side.