Why is it bad practice to use an FCM Server Key on a Flutter/Android client?

Question

I'd like to send messages from my Flutter app using my Firebase Cloud Messaging (FCM) server key. But I'm told this is bad practice and should be done on the server-side. But as the code within APKs are invisible to users why is it a security problem?

void send() async {
    await http.post(
      'https://fcm.googleapis.com/fcm/send',
      headers: <String, String>{
        'Content-Type': 'application/json',
        'Authorization': 'key=$serverToken',
      },
      body: jsonEncode(
        <String, dynamic>{
          'notification': <String, dynamic>{
            'body': 'This is a body',
            'title': 'Banana'
          },
          'priority': 'high',
          'data': <String, dynamic>{
            'audioid': '139',
            'title': 'done all over time',
            'name': 'Greengirl'
          },          
          'to': '/topics/test_fcm_topic',
        },
      ),
    );
  }

Answer 1

In general and not only regarding your specific question regarding FCM keys only, your code within the APK isn't normally visible to your average users. But your APK code is definitely not safe from whomever tries hard enough to find it and reverse engineer it.

Almost nothing is impossible to reverse engineer. I used 'almost' because I can't confirm and say 'everything'.

FCM is free, but it's not about the money. Imagine somebody has your token and can send messages on your behalf to anybody else of your users?

Emails are free to use in general, however, would you mind sharing it with anybody else?