I have an Android app set up to receive FCM push notifications. The app registers with my server with the FCM token. My idea is to prove that the token comes from my app by sending a push notification to the token. It will only arrive at my app, right?
I am wondering if a bad actor could extract the FCM secrets (configured with google-services.json) from my app, make an app with my package name, and trick people into installing it on their device. When the malicious app registers to my server, I suspect that I can't tell if it's coming from the right app. I also suspect the if I send a push notification to the token, it will be sent without errors. Am I correct?
Any help here is much appreciated.
CodePudding user response:
There are no secrets from google-services.json
that get embedded in your app. See my answer here: Is it safe to expose Firebase apiKey to the public?
With the information in google-services.json
all you can do is receive messages, you won't be able to send them with just that information.
To send messages to a user you also need to specify the FCM server key when calling the API (or provide credentials otherwise that prove you're an authorized collaborator on the project). This information is not available in the google-services.json
and should never be used in the client-facing application code.