Firebase vulnerability

a recent incident on September 3, 2025 exposed a critical security gap in applications relying on Google's Firebase Cloud Messaging (FCM). this wasn’t just a bug—it highlighted a widespread vulnerability that developers need to pay attention to today

the heart of the problem

a security researcher discovered that many android apps were embedding their FCM server keys directly inside their .apk files. since these files can be easily decompiled, attackers could extract these keys without much effort

what could they do with a server key?

• send push notifications

  they could send spam or phishing notifications to all users of an application. imagine your user base receiving malicious links from what looks like your official app

• impersonate your backend

  the key gives them the authority to act on behalf of your server when communicating with fcm

this wasn't a theoretical vulnerability. it was exploited in the wild, affecting major apps like microsoft teams and deliveroo, and leading to massive spam campaigns. the core issue wasn't a flaw in Firebase itself, but rather in how developers were storing and using their keys

what does this mean for you?

while my library, Refirebase, simplifies working with firestore, auth, storage, and more, it doesn't manage your FCM keys. that responsibility is still yours

the key takeaway is simple: never, ever, embed server keys or sensitive credentials on the client-side. this includes your mobile app, your frontend, or any code that runs on a user's device

how to protect yourself

so, what’s the right way to handle this?

• use a backend proxy

  your client application should not talk to FCM directly. instead, it should make a request to your own backend server (e.g., a cloud function, a next.js api route, or an express server). your backend then securely calls the FCM api with the server key, which is safely stored as an environment variable on your server

• leverage cloud functions

  Firebase cloud functions are perfect for this. you can create a simple https-triggered function that your app calls. the function's code, running in a secure google environment, is where you use the FCM sdk to send the notification. the server key never leaves the server

• review your code

  if you've ever worked with fcm, do a quick audit of your client-side code. search for anything that looks like a server key. if you find one, revoke it immediately in the Firebase console and implement a backend proxy

the temptation to take shortcuts is always there, especially when you're trying to ship fast. but when it comes to security, cutting corners can have disastrous consequences for you and your users. stay safe and keep your keys on the server