Android automatic SMS verification - Google’s SMS retriever API

As time passes android is getting better in all means for example security, from Android M google has provided the users to have control over permissions like Read SMS, Storage, Contacts, etc. Now Google allows only one app at a time to read and manage your messages i.e only your default messenger app of your choice(I think it was the most necessary step).
As Google is preventing apps to read SMS it has introduced SMS Retriever API to give access to the messages received from there servers to continue with tasks like Autofill OTP, e.t.c.

Message Format

Before getting into action you should know the new format of OTP messages introduced by Google. Have a look at the format

<#> SampleApp: Your verification code is 143567
QbwSot12oP

By a glance at the format, you might have an idea. let me explain it briefly,
there two conditions we should follow

1. The message should start with <#>, that will indicate this is an OTP message to the system.
2. The message should end with Hashcode generated using command prompt or AppSignatureHelper class, Based on this hashcode system will pass the message to the respective app. how to generate hashcode will be explained in the following steps.

The image below represents how SMS Retriever API works

Now Let’s get into action

Step 1

Importing necessary libraries

Following are the mandatory libraries to integrate SMS Retriever API into your project.

Step 2 (Optional) :

Obtain the phone number through hint picker shown as below

Retrieve the phone number in onActivityResult

Step 3 :

Start SMS Retriever

After the user has submitted the phone number, we should initiate SMS retrieval task as shown below

Step 4:

Create broadcast receiver

To receive the message from SMS Retriever API

Register the receiver in manifest file with intent filter com.google.android.gms.auth.api.phone.SMS_RETRIEVED (the value of theSmsRetriever.SMS_RETRIEVED_ACTION constant)

After you received the message in the receiver you can pass it to your activity, where you can finish user authentication.

Step 5 :

Remember AppSignatureHelper class mentioned above, now is the time to implement it. As you have noticed the hashcode of your app in message formate, you can generate this hashcode with command prompt which is a bit complicated for those who don’t have experience with CMD, so we take the simplest way to get Hashcode that is through AppSignatureHelper class, but be aware that you should remove AppSignatureHelper class from your code once you get the hashcode in LOGCAT.

Run AppSignatureHelper class in base application as show below

Things you must do

1. Remove AppSignatureHelper class from your project before going to production.
2. Debug and Release APK’s might have different Hashcodes, make sure you get hashcode from release APK.
3. Implement before Jan 9th, 2019 and upload to play store, if your app has any of above-mentioned permissions.

WHY you should implement SMS Retriever API

From Jan 9th, 2019 Google will remove apps from playstore with permissions READ SMS AND CALL LOG, if they don’t explain the necessity

Advantages of SMS Retriever API for your audience

With SMS Retriever API, there are two main advantages for Android users, such as

1. From now not every app with READ SMS permission can access your personal data like messages.
2. Usually, to auto-fill OTP we give access to an android app it’s better to off that permission after the process is completed (else they will have access to each & every message you have in the mobile), but how many will do that. With SMS Retriever API apps won’t ask for READ SMS permission to auto-fill OTP.

If you have any difficulty in implementing or anything I have missed in the process, please let me know in the comments below.

Bonus

To learn more about Kotlin, read the previous parts of this Advanced Programming With Kotlin series:

• “Advanced Programming With Kotlin”
• “Advanced Programming With Kotlin — Part 2”
• “Advanced Programming With Kotlin — Part 3”
• “Advanced Programming With Kotlin — Part 4”
• “Advanced Programming With Kotlin — Part 5”

To learn more about Kotlin coroutines and other advanced features of Kotlin, read the following articles:

• “Kotlin Coroutines, From the Basic to the Advanced”
• “How to Use Kotlin Sealed Classes for State Management”
• “Asynchronous Data Loading With New Kotlin Flow”
• “Exploring Collections and Sequences in Kotlin”
• “Why and How to Use Kotlin’s Native Serialization Library”
• “Learn How to Combine Kotlin flows”

To learn more about Jetpack libraries read the following articles:

• “WorkManager basics, how to use WorkManager with Rxjava2 & Kotlin Coroutines”
• “Android Room persistence library 🔗 Kotlin Coroutines”
• “Jetpack Compose — A New and Simple Way to Create Material-UI in Android”
• “Hilt — A New Dependency Injection Library for Android”
• “App Startup — New Architecture Component”

To learn more about Dependency injection read the following articles.

• “Dependency Injection in Android With Dagger2”
• “Hilt — A New Dependency Injection Library for Android”
• “Koin — Kotlin Native Dependency Injection Library”

To learn more features and tips of Room library, read the following articles:

• “Android Room persistence library with Rxjava2 and lesser-known features of Room database”
• “Android Room persistence library 🔗 Kotlin Coroutines”
• “How to Use the Room Persistence Library With Kotlin Flow”

Thank you for reading.