0

For a little project I want to send push notifications directly from the app (without a backend).

As I read from the FCM documentation while this is technically possible with a simple HTTP POST request it's discouraged because in this way I have to hard-code the server key that will become easily retrievable with a little of reverse engineering.

So I though to add my server key in the Firebase remote configuration and use that.

What do you think? Are there some contraindications?

Thank you very much.

AL.
  • 33,241
  • 9
  • 119
  • 257
Gnammo
  • 225
  • 2
  • 8

1 Answers1

2

Storing the key in Firebase Remote Config doesn't make the approach secure. After all: the app still needs to be able to access the key and thus remote config.

Any solution that uses the server key in the client-side code is susceptible to abuse.

Frank van Puffelen
  • 418,229
  • 62
  • 649
  • 645
  • Hi Frank, thanks for the clear explanation. Do you have any suggestions to handle the authentication on my simple server in order to avoid non-authorized push sent? – Gnammo Mar 07 '17 at 11:41