I'm kind of confused by this and haven't been able to find any explanation anywhere.
I understand that the Cloud Messaging API is now legacy, and I have an app using the new Firebase Messaging API, but I'm thrown off by the placement of the "update" in relation to the "Server key" section. This may be a stupid question, but I just want to make sure, that the use of Server Keys is not being phased out? For example, when setting up Push for APNS, there is no Server key option, you can use a .p12 file. Wondering if that "update message" means that Firebase is headed towards that private key/certificate model like Apple and phasing out Server keys all together and if I should stop using Server Keys for my apps. Thanks
Related
I have made my mobile app using firebase on iOS & I use callable functions to communicate with database.
When I try to perform a “man in the middle” attack/move using a simple app as Charles, I can see all my calls with the data I send, in plain text. When I use a well know app like iTunes I cannot decrypt anything (which I think is what we call ssl pinning)
I have 3 questions:
does firebase cloud functions (https.callable) handle ssl pinning ?
if not how can I protect from this ? Using node for my function, is it possible to request a ssl certificate from firebase and link it to functions ?
Does the mobile Sdk request are pinned ? I cannot see anything about read calls on my sniffing app.
Thank you all.
As per this post here by Doug, all data in and out of Google is encrypted (including the client SDKs). There is simply no way around this.
Now, you can take this a step further and prevent abuse by configuring App Check which, according to the documentation, provides an additional layer of security against billing fraud and phishing.
However, you will still need to check the authentication token (automatically passed in with onCall functions) to make sure the user is authorized to execute the functions they are calling.
Right now I have my Server Key for Firebase messaging hardcoded in my code.
Is this a security problem for when I deploy my app?
Can I get this key programatically?
Yes it's a security issue,according to this official document at the bottom says.
Important: Do not include the server key anywhere in your client code. Also, make sure to use only server keys to authorize your app server. Android, iOS, and browser keys are rejected by FCM.
And I don't think "get this key programmatically" is good idea because you still downloaded key to the client,or using other way to store in the client.
There's no way to protect in a serious way the key in your apk. Getting the key would be quite easy, so you have a big security issue and your poor security design could have bad conseguences, see for example what GDPR says about privacy. Remove the key, change it if possible and implement a server to communicate with your clients and send push messages.
For a little project I want to send push notifications directly from the app (without a backend).
As I read from the FCM documentation while this is technically possible with a simple HTTP POST request it's discouraged because in this way I have to hard-code the server key that will become easily retrievable with a little of reverse engineering.
So I though to add my server key in the Firebase remote configuration and use that.
What do you think? Are there some contraindications?
Thank you very much.
Storing the key in Firebase Remote Config doesn't make the approach secure. After all: the app still needs to be able to access the key and thus remote config.
Any solution that uses the server key in the client-side code is susceptible to abuse.
I've just opened a Firebase Cloud Messaging project intended for Android push messages.
The gear icon shows one server key (obfuscated here for obvious reasons):
I would like to have more than one key, so I can distribute them to servers and developers and revoke compromised keys if necessary.
How do I manage (add and delete) server keys in Firebase?
Update:
As of the moment, the way it should be done in order to generate a new Server Key, as stated in the docs:
Starting from Sept. 2016 new server key can only be created in the Firebase Console using the Cloud Messaging tab of the Settings panel. Existing projects that need to create a new server key can be imported in the Firebase console without affecting their existing configuration.
For the project migration steps, see my answer here.
For generating Server Keys, there is no way to generate one in the Firebase Console. It can be done via the Google Developers Console:
Go to your Google Developers Console
On the left-pane, click on Credentials
Under the Credentials Tab, Click on Create Credentials
Select API Key
Steps retrieved from my answer here
After you select API Key, it will directly create an API key without asking what type of key (Server, Android, Browser, iOS) it is. It will only allow you to set some Restrictions that was visible depending on which API Key you intend to generate.
By default, the key generated has No Restrictions, this makes a key vulnerable, that's why it is highly encouraged for you to add a restriction for your API key. In this case, since you are using it for FCM (Server Key is needed), you must add an IP Address restriction and only allow specific server IP addresses.
With that said, I don't know how you plan to integrate multiple server keys to a single Firebase Project though. Why not just make use of the IP Addresses restriction and remove the server IP address that are deemed compromised?
It's not possible to have multiple cloud messaging server keys per project. I'd suggest you to have multiple Firebase projects for your application development staging environments.
If needed, you can then re-generate the server key in the Google Developer Console.
On the top-left corner of the screen, verify that the correct
project is selected.
On the left-side panel, click Credentials.
Under Credentials tab, click Server key (auto created by Google
Service).
Click Regenerate key button
A confirmation box will show up asking if you'd like to replace the current key, then click Replace key button.
Note that the new key will be available immediately. The current key will be deactivated permanently in 24 hours.
After all of these steps, you can check that the cloud messaging server key of your Firebase project is now updated.
In Firebase, the Server Key is auto-generated. If you check out the Firebase project in the Google Developer Console, it will be listed as such. You can then create more Keys from there (but will not be listed in the Firebase Console, from what I can tell).
Basically, you can better manage the keys thru the Google Developer Console.
Hope this helps!
You should avoid distributing API keys for the same project. If any one of those using the API keys are found to be abusing it then the entire project will be throttled, affecting all keys for the project.
If you do want to have multiple developers send notifications to your application then have each developer create a Firebase project then have the client register with each sender ID. You will still have the ability to rotate the API key for each developer, or have the client delete the token for a developer that you no longer want to receive messages from. This way any abuse from one developer does not negatively affect the project as a whole.
I've read the document about FCM, but I wonder if I should deploy a FCM server myself. Does the google cloud platform not provide FCM server? Or do I must implemented my own FCM server refering to the official reference implementation, gcm-playgroud?
It depends. (How's that for an answer?)
By "server", I'm assuming you mean, "Code I will be running on the server level to communicate with the FCM service". And honestly, the answer depends on whether or not you need extra functionality that's not supplied by the Firebase Notifications panel.
You can do a lot with Firebase Notifications, including sending scheduled messages, or sending messages to individual users, topics, or Audiences. But that is work that is done manually. If you just want to send the occasional promotional message to your users, you shouldn't need a server.
On the other hand, maybe you've got a messaging app and you want to send a notification to your user anytime they receive a new message. Well, that's clearly something that needs to be automated, and that requires some server-side code. So for that, you will need to set up your own server that communicates with FCM.