What would happen if an FCM Registration token leaks?
652 views
Skip to first unread message
Aaron
Oct 17, 2023, 11:45:51 PM10/17/23
to Firebase Google Group
Hello Firebase team,
According to the About FCM messages - Credentials documentation, the registration token should be kept secret. I'm interested in understanding the potential risks associated with the leakage of the registration token.
At present, the mobile app I'm developing stores the registration token in local storage without any encryption. Would it be possible for hackers to intercept messages on a different device if they obtain the leaked token? For instance, if user A's registration token is leaked, could hackers receive user A's messages on their own devices?
At present, the mobile app I'm developing stores the registration token in local storage without any encryption. Would it be possible for hackers to intercept messages on a different device if they obtain the leaked token? For instance, if user A's registration token is leaked, could hackers receive user A's messages on their own devices?
Ori Idan
Oct 18, 2023, 9:56:12 AM10/18/23
to fireba...@googlegroups.com
If a registration token is leaked, a hacker could send your users phishing messages that users my think these are your messages and regard them as safe.
--
You received this message because you are subscribed to the Google Groups "Firebase Google Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to firebase-tal...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/firebase-talk/e05d8e7a-b84a-494f-bda7-9ce01f643157n%40googlegroups.com.
Arthur Thompson
Oct 19, 2023, 8:12:41 PM10/19/23
to fireba...@googlegroups.com
Hi Aaron and Ori,
A registration token alone is insufficient to send a message to the corresponding device. The HTTP request used to send the messages must be authenticated with Service Account so while it is recommended to keep device tokens secret it is more important to ensure that your Service Account credentials are kept safe since tokens are not the only way that devices can be targeted to send messages.
A leaked token on its own cannot be used to send messages to your users. A leaked token cannot be used to receive messages meant for a particular token. Storing the token within your application's storage space is a safe approach.
I hope this helps,
Arthur.
To view this discussion on the web visit https://groups.google.com/d/msgid/firebase-talk/CACyhTRHs1wVw_Nxw%3DZf8ujaj21dn_R_-swW8d3et8GUnfYe_Hg%40mail.gmail.com.
Aaron
Oct 20, 2023, 11:47:57 PM10/20/23
to Firebase Google Group
Hi Ori and Arthur,
Thank you for your explanation. However, my concern is not whether hackers can send notifications to users, but rather whether hackers can receive a user's notifications on their own device.
For example, is it possible for a hacker to register leaked tokens from their own device to the Firebase backend so that when the Firebase backend sends notifications to users' devices, the hacker's device can also receive user notifications?
For example, is it possible for a hacker to register leaked tokens from their own device to the Firebase backend so that when the Firebase backend sends notifications to users' devices, the hacker's device can also receive user notifications?
Arthur Thompson
Oct 20, 2023, 11:52:23 PM10/20/23
to fireba...@googlegroups.com
Hi,
A leaked token cannot be used to receive notifications sent to that token. Tokens are used to target devices but FCM uses other mechanisms to actually deliver messages to devices.
To view this discussion on the web visit https://groups.google.com/d/msgid/firebase-talk/af55012f-924b-4cd1-8611-f47bd240f70fn%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages