为什么在Flutter/Android客户端上使用FCM服务器密钥是不好的做法? [英] Why is it bad practice to use an FCM Server Key on a Flutter/Android client?
问题描述
我想使用我的Firebase Cloud Messaging(FCM)服务器密钥从Flutter应用发送消息.但是我被告知这是一种不好的做法,应该在服务器端完成.但是,由于APK中的代码对于用户是不可见的,为什么这是一个安全问题?
I'd like to send messages from my Flutter app using my Firebase Cloud Messaging (FCM) server key. But I'm told this is bad practice and should be done on the server-side. But as the code within APKs are invisible to users why is it a security problem?
void send() async {
await http.post(
'https://fcm.googleapis.com/fcm/send',
headers: <String, String>{
'Content-Type': 'application/json',
'Authorization': 'key=$serverToken',
},
body: jsonEncode(
<String, dynamic>{
'notification': <String, dynamic>{
'body': 'This is a body',
'title': 'Banana'
},
'priority': 'high',
'data': <String, dynamic>{
'audioid': '139',
'title': 'done all over time',
'name': 'Greengirl'
},
'to': '/topics/test_fcm_topic',
},
),
);
}
推荐答案
通常,不仅是关于FCM密钥的特定问题,普通用户通常也看不到APK中的代码.但是,无论谁努力寻找并对其进行反向工程,您的APK代码绝对是不安全的.
In general and not only regarding your specific question regarding FCM keys only, your code within the APK isn't normally visible to your average users. But your APK code is definitely not safe from whomever tries hard enough to find it and reverse engineer it.
几乎没有什么不可能逆向工程.我使用几乎"是因为我无法确认并说一切".
Almost nothing is impossible to reverse engineer. I used 'almost' because I can't confirm and say 'everything'.
FCM是免费的,但这与金钱无关.想象有人拥有您的令牌,并且可以代表您向其他用户发送消息吗?
FCM is free, but it's not about the money. Imagine somebody has your token and can send messages on your behalf to anybody else of your users?
电子邮件通常是免费的,但是,您介意与其他人共享吗?
Emails are free to use in general, however, would you mind sharing it with anybody else?
这篇关于为什么在Flutter/Android客户端上使用FCM服务器密钥是不好的做法?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
