在FCM（Firebase云消息传递）中，在通知中包含令牌是否安全？

Question

When sending push notification to an Android device using FCM, is it safe to include token in the notification body? Will this somehow violate security/privacy or GDPR?

In the firebase documentation ( https://firebase.google.com/docs/cloud-messaging/concept-options ), their example includes notification token in the notification:

{
  "message":{
    "token":"bk3RNwTe3H0:CI2k_HHwgIpoDKCIZvvDMExUdFQ3P1...",
    "notification":{
      "title":"Portugal vs. Denmark",
      "body":"great match!"
    }
  }
}

Instead can we do something like this?

{
  "message":{
    "token":"bk3RNwTe3H0:CI2k_HHwgIpoDKCIZvvDMExUdFQ3P1...",
    "notification":{
      "token":"bk3RNwTe3H0:CI2k_HHwgIpoDKCIZvvDMExUdFQ3P1...",
      "title":"Portugal vs. Denmark",
      "body":"great match!"
    }
  }
}

If there is nothing wrong with including token in the notification, I was hoping I could include the token in the notification for client side check to filter receiving notification from expired token (token isn't always invalidated right away. At least in GCM it isn't)

NOTE: The reason I'm doing this is because when user uninstalls and reinstalls the app, the old token can still be active. Until Firebase's cron job goes and deletes old token, the old token can still be used. This is a problem if you have a separate server maintaining tokens. So I was hoping I could just include token in the notification to filter invalid notifications and invalidate old token on our private server.

Answer 1

In the example the token is being sent in the message, not in the notification. The notification is also part of the message.

The message is sent to the FCM server where, using the token, it will know to whom direct the notification.

About including the token in the notification, I would not do that.

Besides, the mobile device already has the token that has been sent to it when the device registered with FCM. And if the device hasn't registered for any reason, like an uninstall, then even if you add the token to the notification, it will not reach the device.

EDIT I

You won't be able to add a token in the notification that way (as an additional attribute). See how the json message has to be formed in the fcm docs. If there is a place you could set it (which I don't recommend doing) is as part of the data .

The reason not to include it is that there is no reason to do so:

The Token is not managed by your app, it is managed by the FCM server. You just need to take care of updating your server when the Token changes, in which case, the FCM api lets your app know by triggering a callback in the app ( onTokenRefresh() ). When you do this, you keep a copy of the token in shared preferences.

Following last point, the app already has the token. Sending it in each notification, if it gets to the mobile device, it is because it is still valid, so you already have it in shared preferences. On the other hand, if the token is invalid, then the message won't be received, and the app will never be aware about this. Things will come back to normal when the FCM server provides a new Token to the app. In which case the app is notified with a callback, and your app replaces the token in shared preferences and updates your server.