Good morning everyone, I recently had a problem with my app on the Play Store, Google has been removing it because the key is exposed, this is the message I get every time they remove my app:
Problem with your app We discovered that your app contains security vulnerabilities, which may expose user information or damage a user's device. This is a violation of the device and network abuse policy. Specifically, your applications are vulnerable to exposed Firebase Cloud Messaging server keys. To fix this issue, follow the steps in this Google Help Center article.
Now that we know what the problem is, I will proceed to show my code with which I sent notifications to users:
RequestQueue myrequest= Volley.newRequestQueue(getApplicationContext());
JSONObject json = new JSONObject();
try {
json.put("to", TicketDatos.token); //Aqui el envio se hace al usuario que esta haciendo el proceso del pedido
JSONObject notificacion=new JSONObject();
notificacion.put("titulo", "¡Hay un nuevo pedido!");
notificacion.put("detalle","Revisa tus pedidos activos para procesar el nuevo pedido");
notificacion.put("click_action", "NUEVOPEDIDO");
notificacion.put("id_cliente", Login.gIdCliente);
notificacion.put("nombre_cliente", Login.nombre);
json.put("data",notificacion);
String URL= "https://fcm.googleapis.com/fcm/send";
JsonObjectRequest request=new JsonObjectRequest(Request.Method.POST,URL,json,null,null){
@Override
public Map<String, String> getHeaders() {
Map<String,String>header=new HashMap<>();
header.put("content-type","application/json");
header.put("authorization", DatosPrincipales.serverKey); //En esta parte es donde agrego la clave del servidor de firebase al principio tenia directamente la clave pero ahora la obtengo de la base de datos sin embargo el problema persiste
return header;
}
};
myrequest.add(request);
}catch (JSONException e){
e.printStackTrace();
}
}
When I was learning this about notifications I had already been warned about this that the code must be executed from the server and not from the app, however my little knowledge led me to use this way to send notifications to users because it adapts perfectly to what I needed and in fact it had always worked great for me but unfortunately there is a security leak!!!
So how can I continue to use this method without getting this problem, I really need to run this code inside the app when users finish an order and I haven't found another way to do it, if you need more code or more explanation please let me know in advance many times Thanks for the help!!!