Android Question SOLVED -Exposed Firebase Cloud Messaging Server Keys

gregorio_adrian_gimenez

Active Member
Licensed User
Longtime User
Hello everyone!!
I wanted to ask if you can help me solve this problem.
the cloudmessaging firebase key is exposed, how can I protect it in B4A? Google gave me 7 days to solve it, otherwise it removes the app
is currently declared Process_Global
variable: 
   Private FCM_KEY As String = "XXXXXXXXXXXXXXXXXXXXXXXXXXXXx"
in module FirebaseMessaging

I appreciate if you can help me with this issue.
Regards
 
Sort by date Sort by votes

DonManfred

Expert
Licensed User
Longtime User
gregorio_adrian_gimenez said:
I appreciate if you can help me with this issue.
Click to expand...
You should NOT(!!) include it in a Android App. ;-)

Solution: Send a info to your Server and send the Notification from within your Server instead from the B4A App. No need to include the code in the Androidapp at all. The key is more secure on your Server too.

From the Firebase Messaging Library-Thread (i marked the important info bold)
See the code in the attached B4J tool. Note that the API_KEY should be set in the B4J code. It shouldn't be distributed in your app.
Click to expand...
 
Last edited:
Upvote 1

udg

Expert
Licensed User
Longtime User
As @DonManfred already told you, your FCM API key should be safely stored on your server. This is the gold rule.

Another approach that you may consider, if you absolutely have to send a message from your mobile app without a mid-layer on a server, is the following:
1. store the FCM key in your on-line DB
2. read at app's startup (or when needed) the key in a temp variable
3. use the key to send your message

This way the key won't plainly show in your code, but anyone disassembling the code will find how to retrieve it from your DB.
 
Upvote 0

gregorio_adrian_gimenez

Active Member
Licensed User
Longtime User
Thank you very much for your recommendations!
Create an .ini file with the key inside and add it to DirAssets.
That solved the problem with google!!!!
now, not if the method is safe but better before sure.


code API KEY: 
Sub apiKey As String
    
    Try
        If File.Exists(File.DirAssets,"code.ini") Then
        
            Return API_KEY= File.ReadString(File.DirAssets,"code.ini")
        
        End If

    Catch
        Log(LastException)
    End Try


End Sub

Big hello to all!!
 
Upvote 0
You must log in or register to reply here.

Similar Threads

  • Question
Android Question FirebaseNotifications - Server Key not found
Replies
2
Views
771
LGS
B
  • Question
Android Question Facebook - Extends FirebaseAuth - Error Msg: "Invalid key hash..."
Replies
6
Views
3K
Bob Spielen
B
  • Question
Android Question GCM Exposed Key
Replies
13
Views
3K
Marcos Alves
  • Question
Android Question Remediation for Exposed GCP API keys
Replies
9
Views
4K
mmieher
  • Question
Android Question firebaseauth-authenticate error
Replies
13
Views
2K
ermales
Menu
Log in
Register
Cookies are required to use this site. You must accept them to continue using the site. Learn more…