Remediation for Exposed Firebase Cloud Messaging (FCM) Server Keys

This information is intended for developers with app(s) that contain exposed Firebase Cloud Messaging (FCM) server keys.

What’s happening

One or more of your apps contain exposed FCM server keys. A malicious attacker could use the exposed keys to send push notifications to all users of your vulnerable app. The attacker would control the content of such notifications, and they could range from offensive messages to graphic/disturbing images. Please review the detailed steps below to fix the issue with your apps.  The locations in your app that expose FCM server key(s) can be found in the Play Console notification for your app.

Action required

1. Update your app and exposed FCM keys using the steps highlighted below.

   1. If you have the legacy FCM API enabled for your app, and are not using it to send push notifications, then disable legacy FCM API,
   2. If you have the legacy FCM API enabled, and are using it to send push notifications, then you can take take any of the following two steps:
      1. (Recommended) Migrate to using FCM v1 API and disable legacy FCM API.
      2. Secure your use of legacy FCM API by:
         1. If you are using the exposed key only for FCM API: 
            1. Generate a new key from Firebase Console > Project Settings > Cloud Messaging by clicking on “Add Server Key”.  Use this new server key for sending FCM messages from your secure server environment. Make sure you only use this key from your secure server environment and that it is not included in your client code (apps, binaries). 
            2. Once you have migrated to sending FCM messages using the newly generated server key, delete the exposed server keys from GCP console. The locations in your app that expose FCM server key(s) can be found in the notification email from Google Play. Step c. describes how you can obtain the exposed keys from these locations. 
         2. If you are using the exposed key for other APIs including FCM, then:
            1. Migrate to using FCM v1 API and disable legacy FCM API.
            2. To future proof your other API usages, consider migrating away from using the exposed key for the other APIs, and eventually delete the exposed key from GCP Console.
   3. Once you have done one of the above steps, delete the exposed FCM server key from your app code. The locations in your app that expose FCM server key(s) can be found in the notification email from Google Play. To obtain the exposed keys, check your app's code at the vulnerable location. The key could either be embedded in that location as a string, or loaded in that location from your app's XML resources; in the latter case, check your app's res/values/strings.xml file to obtain the exposed key. Please note the following:
      • If you perform the above steps but do not delete the exposed keys from your app, you will continue to receive vulnerability notifications in your email/Google Play Console. 
      • If you delete the exposed keys from your app but do not perform the above steps, you do not actually fix the problem since an attacker can simply find the key in an older version of your app and use it to attack your app.

2. Submit your updated APK

To submit an updated app bundle or APK:

1. Go to your Play Console.
2. Select the app.
3. Go to the App bundle explorer.
4. Select the non-compliant APK/app bundle's App version at the top right dropdown menu, and make a note of which releases they are under.
5. Go to the track with the policy issue. It will be one of these 4 pages: Internal / Closed / Open testing or Production.
6. Near the top right of the page, click Create new release. (You may need to click Manage track first)
   • If the release with the violating APK is in a draft state, discard the release.
7. Add the policy compliant version of app bundles or APKs.
   • Make sure the non-compliant version of app bundles or APKs is under the Not included section of this release. For further guidance, please see the "Not included (app bundles and APKs)" section in this Play Console Help article.
8. To save any changes you make to your release, select Save.
9. When you've finished preparing your release, select Review release.

If the non-compliant APK is released to multiple tracks, repeat steps 5-9 in each track.

Upon resubmission, your app will be reviewed again. This process can take several hours. If the app passes review and is published successfully, then no further action is required. If the app fails review, then the new app version will not be published and you will receive an email notification.

We’re here to help

If you have technical questions about the vulnerability, you can post to Stack Overflow and use the tag “android-security.” For clarification on steps you need to take to resolve this issue, you can contact our developer support team.