Android Question SOLVED -Exposed Firebase Cloud Messaging Server Keys

gregorio_adrian_gimenez

Active Member
Licensed User
Longtime User
Hello everyone!!
I wanted to ask if you can help me solve this problem.
the cloudmessaging firebase key is exposed, how can I protect it in B4A? Google gave me 7 days to solve it, otherwise it removes the app
is currently declared Process_Global
variable:
   Private FCM_KEY As String = "XXXXXXXXXXXXXXXXXXXXXXXXXXXXx"
in module FirebaseMessaging

I appreciate if you can help me with this issue.
Regards
 

DonManfred

Expert
Licensed User
Longtime User
I appreciate if you can help me with this issue.
You should NOT(!!) include it in a Android App. ;-)

Solution: Send a info to your Server and send the Notification from within your Server instead from the B4A App. No need to include the code in the Androidapp at all. The key is more secure on your Server too.

From the Firebase Messaging Library-Thread (i marked the important info bold)
See the code in the attached B4J tool. Note that the API_KEY should be set in the B4J code. It shouldn't be distributed in your app.
 
Last edited:
Upvote 1

udg

Expert
Licensed User
Longtime User
As @DonManfred already told you, your FCM API key should be safely stored on your server. This is the gold rule.

Another approach that you may consider, if you absolutely have to send a message from your mobile app without a mid-layer on a server, is the following:
1. store the FCM key in your on-line DB
2. read at app's startup (or when needed) the key in a temp variable
3. use the key to send your message

This way the key won't plainly show in your code, but anyone disassembling the code will find how to retrieve it from your DB.
 
Upvote 0

gregorio_adrian_gimenez

Active Member
Licensed User
Longtime User
Thank you very much for your recommendations!
Create an .ini file with the key inside and add it to DirAssets.
That solved the problem with google!!!!
now, not if the method is safe but better before sure.


code API KEY:
Sub apiKey As String
    
    Try
        If File.Exists(File.DirAssets,"code.ini") Then
        
            Return API_KEY= File.ReadString(File.DirAssets,"code.ini")
        
        End If

    Catch
        Log(LastException)
    End Try


End Sub

Big hello to all!!
 
Upvote 0
Top