After I published my app to the google play console. The google play support warns me that they found
security vulnerabilities for users
Leaked GCP FCM Server Keys
Your app(s) expose FCM server keys.
To address this issue, follow the steps in this Google Help Center article.
com.example.mypackagename.FcmNotificationsSender. AAAA0grk2WQ:APA91bGNcZOBZDFe16892r_c-.....2HMowk2VyaBWN_62b
Actually, I am trying to send notifications from one device to another through FCM into my app like messaging applications do. for that, I am using legacy FCM API. And I included the FCM server key directly to my app to send notifications between devices, which is not a good idea As written in Google Help Center article.
so, how I can fix expose FCM server keys?
or if FCM does not support push notifications through devices directly then what is the best way to send notifications directly?
Thanks!
Related
I am currently setting up a Firebase Cloud Messaging project. When adding apps to this project some credentials are automatically generated by FCM, e.g. the Server key as well as Android and iOS client keys.
For Android, I can download and use the google-services.json file to setup the client, i.e. registering for an FCM token and receiving push messages. But how do I restrict this so only my app can receive these messages?
I thought it would be the (auto created) Android client API key, so to test I've put an incorrect package name and SHA fingerprint in restrictions for the key. No effect, can still receive messages.
I then tried removing the API key as well as oauth client info completely from the google-services.json file, to confirm that the device then would not be able to receive messages. No effect, can still receive messages. All client info seems to be completely ignored, except for the app id (and the general project info).
So, I am really wondering what prevents reverse engineering of an app to extract the app id and general project info, and then receiving push messages in an entirely different app? I don't understand why the Android client API key, etc. is included in the google-services.json file, or why they are even created, if it is not used.
All the information in google-services.json is essentially configuration data that your app uses to find the Firebase services on Google's servers. You should not rely on knowing it, or lack of knowing it, as a security mechanism.
Instead you should send your messages in a way that ensures they are delivered only to the targeted recipients. A large part of this is sending messages to specific FCM Instance ID tokens. Firebase's Instance ID tokens are unguessable. Initially this registration token is only known on the client-side device where it is generated, and that device determines who to share it with.
By ensuring your client-side code only shares the token with your own server-side code, which then use it to target FCM messages, you can create a completely safe delivery environment where you fully control who can receive each specific message.
On the other side of this are FCM topics, which are a simpler mechanism for delivering messages to groups of users. Since any client can subscribe to any topic that it knows the ID of, topics should be used for delivering messages that require less securely targeted delivery.
I've been in contact with Firebase Support over the past week to shed light on this. It seems there is an important difference between the now deprecated Google Cloud Messaging (GCM) and Firebase Cloud Messaging (FCM), and it is currently not well documented.
With GCM it was possible to use and restrict e.g. the Android client API key with a package name and a SHA fingerprint. This is no longer possible with FCM. The keys are auto created when you add apps to your project in the Firebase console, and included in the google-services.json file, and you can add the restrictions to these under Credentials in APIs & Services, but it will not have any effect.
Please also note that the SHA fingerprint you can add in the Firebase project is only for Firebase Invites or Firebase Dynamic Links.
Be careful and have this in mind when you decide what to use the messaging service for, or when you migrate from GCM to FCM.
There is a feature request for this at Firebase but they currently have no timeline. There also a request now for an update of their documentation regarding this issue.
I have a mix of GCM and FCM Server API keys that belong to different android apps. However I am not the owner of the apps and do not have direct access to the google developer console.
Is there a way to detect whether a Cloud Messaging Server API key is enabled for Firebase?
I would like to know this so that I can notify the owners of the GCM server keys to update to Firebase.
Thanks
-David
There is no way to tell if a Server Key used in the request is from a GCM/FCM enabled project. There is RemoteMessage.getFrom() which gives the Sender ID of the sender or to identify which topic the message was sent to, but it doesn't give any other details.
While on the matter, I'm fairly sure that there is even no way for you to retrieve the value of the Server Key that was used by the Sender in the first place.
With all that said, so long as it is a valid Server Key, it should be compatible to use for both GCM and FCM. From what I've experienced, I had a Server Key originally generated from my Developer Console, and after I imported the project to Firebase, the Server Key that appeared in the Cloud Messaging tab was still the same (I'm not so sure if that's still the case though).
Nonetheless, Server Key used for GCM should still be compatible for FCM.
I have an android project in which GCM is implemented. Back-end (server) is already coded suitably with GCM.
Now is it possible to add firebase (FCM) in my project and work in parallel with GCM? I cant migrate to FCM because it is impossible to change my back-end code as it is a big project and too much code is there. Has anyone done something like this?
Please help. Thanks in advance.
Though my particular case might be a bit specific, because the project I am involved in has a very specific backend, it seems to me FCM interoperates well with GCM, i.e you can have both in your app, GCM and FCM broadcast receivers / receiver services, and they will both work as well with no conflicts.
This has a huge advantage because you don't have to decide with migration at once, you can do this more gradually.
Well done, Google!
No, you can not use both FCM and GCM at same time. GCM is the old version and that it is strongly recommended to use FCM.
Why is Google Cloud Messaging (GCM) part of Firebase? How does it relate to Firebase Cloud Messaging (FCM)?
Google is investing in Firebase, making it our unified mobile
platform.
Over the last few years, we have expanded GCM to send messages to
multiple platforms beyond Android: iOS and Chrome. Firebase is known
for being cross platform, so FCM now makes a natural fit in the
Firebase suite of features designed for Android, iOS, and mobile web.
Another core value of Firebase is cross-feature integration. We are
adding the ability for other Firebase features to easily send messages
via FCM. For example, you can use Firebase Notifications to send
reengagement messages to your users.
We think that GCM will be even more useful to developers as an
integrated part of Firebase. You can still get the same great product,
now under a new name: "Firebase Cloud Messaging," or FCM for short.
Is GCM going to be deprecated?
We will continue to support the current version of GCM Android and iOS
SDKs because we know a lot of developers are using GCM SDKs today to
handle notifications, and client app upgrade takes time.
But all new client-side features will be added to FCM SDKs only moving
forward. You are strongly encouraged to upgrade to FCM SDKs.
You can get more details here
As per FAQ you don't need additional server configuration when you're migrating your client app from GCM to FCM, so just use FCM in your android app.
Here's the docs on how to migrate your app
I find the problem to use both GCM and FCM together. You will get to different deviceToken and one of these token get NotRegistered error.
For my FCM token always get NotRegistered error but the app is active and not uninstalled and my GCM token is valid and gets a push notification.
Suppose I have an application in which people suscribes to receive a notification when some event in a bar is created. I would also like to draw an icon in a google map when a bar is added. I read about Google Cloud Messaging and also Firebase which Google advertises as the improved version of the former. What are the advantages and disadvantages of both?
Yes No Difference as you read, Google Cloud Messaging is the traditional way to send push notifications and downstream message to Android.
Now with the addtional of new product Firebase (bought), google making some changes for efficient use. So they just renamed GCM as FCM (new improved version), along the change now you using FCM can send push notifications to iOS devices as well and more new features,
In fact you can register push token using Firebase and send api signal to GCM server, still the message would reach the device.
You can read this FAQ, https://firebase.google.com/support/faq/#gcm-fcm
Google Cloud Messaging is DEPRECATED 4/10/2018!
As of April 10, 2018, Google has deprecated GCM. The GCM server and client APIs are deprecated and will be removed as soon as May 29, 2019. Migrate GCM apps to Firebase Cloud Messaging (FCM), which inherits the reliable and scalable GCM infrastructure, plus many new features. See the migration guide to learn more.
https://developers.google.com/cloud-messaging/faq
Why is GCM being deprecated?
Simplifies client development. You no longer have to write your own registration or subscription retry logic.
Enables a new serverless notifications solution with a web console, the Firebase Notifications console. With the Notifications console, anyone can send notifications to target specific audiences based on Firebase Analytics insights. The console has deep integration with Google Analytics, Firebase predictions, and Firebase A/B testing.
Includes ongoing feature enhancements/updates such as the HTTP v1 API.
Provides better delivery reporting and more reliable delivery
I have created a small App that's able to receive Push Notifications from the FCM Console.
What i want to do now is to send a Push-Notifications to all Android Phones that got the app Installed using the API. And this is where i got completely lost.
Is there no way to send it to all Phones without collecting all the registration-ids?
Does this only work with the Console but not with the API?
thanx in advance
Sending a message to all the phones like what you do from the Firebase Web Console is only possible from the Web Console.
If you need this feature from the API you can submit a feature request:
https://firebase.google.com/support/contact/bugs-features/
Another possibility is to have all the client registering to a specific topic via FirebaseMessaging.getInstance().subscribeToTopic(topicName)
In this way you can send a message to the whole topic without collecting the registration-ids manually.