Is Sender ID Private?

Question

I have an open source public application that uses GCM push notifications. To register for push, the sender ID is placed into the source code. Is it OK for this sender ID to be exposed publicly? Is sender ID suppose to be kept private? Is there anything bad anyone can do with my sender ID if exposed?

Answer 1

This question stems from not knowing what each of these keys do. This information is relevant for Firebase Cloud Messaging, which replaced GCM.

---

FCM sender ID

The FCM Sender ID is actually the Firebase project number 😂. To check it yourself, you can compare project_info.project_number in google-services.json/ Firebase project settings page with the sender ID.

It is used by Android clients to identify which application (Firebase project) to register for FCM with, so it makes sense.

It is available in the google-services.json which is not sensitive.

The worst thing a user can do if they know your sender ID is they can register for push notifications from you.

---

FCM Server key

The FCM server key is sensitive, because it allows users to send push notifications to the devices which have registered.

Answer 2

A sender ID is not tied to a unique application package name. In fact, multiple apps can register to GCM using the same sender ID, which will allow the same API key to be used for sending GCM messages to all of these apps. Of course each app will have a different registration ID (even when on the same device).

If someone knows your sender ID, they can register to GCM with that sender ID, but without knowing the API key they won't be able to send GCM messages to either the fake app or the real app. When they register to GCM, GCM receives the package ID of their fake app. Therefore if you send a message to a registration ID of your real app, it won't reach the fake app.

leave it Protected and also try to keep the API key and as well as your server details.

More reference 1

Answer 3

It is fine to expose sender id because it has no meaning without serverkey.