Lucian Marica Lucian Marica - 24 days ago 8
Android Question

Firebase FCM token as security token for Android

I am developing an Android app and wondering if using FCM tokens also as authorization tokens (and drop the current custom tokens) would be a good practice.

Example scenario:


  1. When application is started for the first time the user gets a new
    FCM token

  2. With the login data, the app also sends the token

  3. On successful login, the token is stored on the server (with an generated expiration date), and will be sent from now on with each
    request from the client

  4. The server uses the token for validation of the request and for sending push notifications

  5. When token expiration date is passed, the requests will fail and user will be redirected to login



Everything good so far, but what about FCM token rotation?
Should I save the FCM token in shared preferences?
How about user being logged in on multiple devices?

Any advice on the matter would be much appreciated.

Answer

This wont be a good practice, if you are using a token to verify client authenticity, as a FCM will be the same for all accounts on that particular device. So in your case, you will be authenticating the device instead of the user.