I have an Android app that subscribes to a FCM topic named ("alert")....
I only want the signed,published version of my app Google Play Store to receive messages from the "alert" topic. I do not want an unsigned/debug APK a developer creates with the same package name to be able to subscribe to the topic an receive notifications, even if the unsigned/debug version has the google-services.json configuration. Is it possible to configure the FCM topic to restrict access to only my published app from Google Play Store?
I thought this was possible by configuring the API KEY used in the app from https://console.developers.google.com/apis/credentials, and specifying the key restriction to Android apps, and specify a package name and SHA1 from my signing certificate I used for the app...But it seems like even if I do this, an unsigned/debug version of my app still is able to successfully subscribe to the topic and receive messages.
There is currently no way to restrict users to subscribe to a topic.
FCM topics are public. There is no way to prevent specific users from subscribing to them -- in this case, users or app versions. So long as they are authorized to make a request and know the name of the topic, they could easily subscribe.