Is it OK to use the SERVER_API key on a client, and is it possible to send a GCM message to a device group without using the SERVER_API key?

Question

I have successfully registered my Android app with locally managed device groups as described here: Google Cloud Messaging (GCM) with local device groups on Android gives HTTP Error code 401.

This works fine, and I can send GCM messages from Android to Android by following the guidelines here: https://developers.google.com/cloud-messaging/downstream.

However, this uses the SERVER_API key, which supposedly isn't a nice thing to have lying around on a client.

My question is: Is it a problem at all to use the SERVER_API key on the client?

Second: Is it possible to send a GCM message without using the SERVER_API key?

I tried passing the notification_key received from the device group registration to this method, but nothing arrives:

private void sendMessage2(String recipient) throws IOException {
    Log.i(TAG, "Sending message to " + recipient);
    GoogleCloudMessaging gcm = GoogleCloudMessaging.getInstance(context);
    AtomicInteger msgId = new AtomicInteger();
    String id = Integer.toString(msgId.incrementAndGet());
    Bundle data = new Bundle();
    data.putString("hello", "world");
    gcm.send(recipient, id, data);
    Log.i(TAG, "Successfully sent message to " + recipient);
}

// recipient is the notification_key of the device group.

Answer 1

Don't use the SERVER_API key on your client!

This key is a secret, and will not be obfuscated in your binary. Someone can easily download your APK, run strings (or a similar tool) and then start sending GCM messages on behalf of your application.

If you want to do Android <--> Android messaging, you will actually need to do Android <--> Server <--> Android.