Reputation: 63
Why must I keep the registration token secret?
According to this link, the registration token must be kept secret.
Registration token: An ID generated by the FCM SDK for each client app instance. Required for single device and device group messaging. Note that registration tokens must be kept secret.
How sensitive is the token? Can anyone with the registration token send notifications to the device? Or is the token specific to my project?
What are the risks if some else gets hold of a device registration token?
Upvotes: 6
Views: 2239
Answers (2)
Reputation: 444
The token could be used by a malicious user to register himslef and get notifications he is not supposed to receive.
Let's imagine the following scenario.
- UserA has TokenA, generated by DeviceA.
- When UserA logs in on DeviceA, DeviceA sends the token to the back-end. TokenA is therefore associated with UserA. Any notification sent to TokenA will then arrive on DeviceA or UserA.
- If a malicious UserX manages to get TokenA, he could modify his application on DeviceX to send TokenA instead of TokenX. UserX would then be associated to TokenA.
- The next time a notification will be sent to TokenA, it will arrive on DeviceA and DeviceX if link is many-to-one or on DeviceX only it link is one-to-one.
A similar scenario could be envisaged if a user logs in on the device of someone else, without malicious intention in this case.
Upvotes: 1
Reputation: 37768
How sensitive is the token? Can anyone with the registration token send notifications to the device? Or is the token specific to my project?
Not really. If the a sender not associated with the registration token sends a message, then they're going to receive an error:MismatchSenderId:
A registration token is tied to a certain group of senders. When a client app registers for FCM, it must specify which senders are allowed to send messages. You should use one of those sender IDs when sending messages to the client app. If you switch to a different sender, the existing registration tokens won't work.
If you base it from that, it does seem that keeping the registration token a secret is not that much of a thing. But what if a scenario happens that an unauthorized user gets an access to send messages, if he doesn't know/have the registration tokens, then it's pretty much useless. Just think of it as another safety measure.
What are the risks if some else gets hold of a device registration token?
From the scenario I mentioned above, if someone (unauthorized users) got access to send messages and the registration tokens, then they can pretty much send anything towards it.
Upvotes: 9
Related Questions
- Firebase Cloud Messaging - Managing Registration Tokens
- Firebase Cloud Messaging Token
- How to get a registration token for Firebase Cloud Messaging without requesting permission for notifications?
- FCM Registration token
- Firebase Cloud Messaging: Why do registration tokens get deleted?
- Why not getting Android Firebase FCM registration token?
- Firebase (FCM) registration token
- Firebase Cloud Messaging Auth Tokens vs Registration Token
- Token becomes unregistered after first use
- Firebase Cloud Messaging: No Token and strange notification behavior