Reputation: 33
Do I need to protect my firebase Server Key? Can I store it in the source code or is there a way to get it programatically?
Right now I have my Server Key for Firebase messaging hardcoded in my code.
Is this a security problem for when I deploy my app?
Can I get this key programatically?
Upvotes: 1
Views: 753
Answers (2)
Reputation: 1396
Yes it's a security issue, According to this official document at the bottom says.
Important: Do not include the server key anywhere in your client code. Also, make sure to use only server keys to authorize your app server. Android, iOS, and browser keys are rejected by FCM.
And I don't think "get this key programmatically" is good idea because you still downloaded key to the client, or using other way to store in the client.
Upvotes: 2
Reputation: 22173
There's no way to protect in a serious way the key in your apk. Getting the key would be quite easy, so you have a big security issue and your poor security design could have bad conseguences, see for example what GDPR says about privacy. Remove the key, change it if possible and implement a server to communicate with your clients and send push messages.
Upvotes: 0
Related Questions
- Firebase messaging, where to get Server Key?
- How to acces firebase data using a key
- Send Firebase Cloud Messaging Notifications via App without exposing the Server Key
- Securely Saving API Keys In Android (flutter) Apps
- Why is it bad practice to use an FCM Server Key on a Flutter/Android client?
- Storing API keys in a Flutter Firebase app? Do I need to hide them? How?
- Firebase Cloud Messaging + Django: How to securely store the service account's private key?
- Is there a way to set up a server using firebase without storing the private key json file?
- Where should I store my FCM server key if not on client side for security? iOS?
- Generate Server Key programmatically for Firebase