reCaptcha: Control malicious traffic to your App
While building an app on Android that uses some REST API like GET and POST, you always care about the unusual or unethical use of your app. Sometimes hackers are trying to make manually unethical requests to your application’s API from any scripted function that increases traffic on your server. To resolve this issue, Google has introduced SafetyNet reCaptcha.
How To Use reCaptcha In Your App(Android):
To use SafetyNet reCaptcha API you need to register on reCaptcha Android Sign up Site
On the signup form, you need to set the following inputs
- Label: must be unique, should be your company or organization name.
2. Package Name: Your app’s package name, can set multiple app’s packages in which you want to use reCaptcha API.
3. Send Alert To Owners: Check checkbox if you want to get alert mails for reCaptch API.
After registering you will get Site Key And Secret Key. Site Key is used to verify the request while the Secret Key validates user response.
Add API dependency in your app:
To use SafetyNet reCaptch Api you need to add following dependency in Gradle project
dependencies{
implementation 'com.google.android.gms:play-servises- sefetynet:15.0.0'
}
How To Use reCaptcha API:
Call function
SafetyNet.getClient(context).verifyWithRecaptcha(API_SITE_KEY)
Override onSuccess() and onFailure() method where you will get call back for ReCaptchaToken or for any error
e.g
private void checkReCaptcha(View v) {
OnSuccessListener<SafetyNetApi.RecaptchaTokenResponse> onSuccessListener = new OnSuccessListener<SafetyNetApi.RecaptchaTokenResponse>() {
@Override
public void onSuccess(SafetyNetApi.RecaptchaTokenResponse response) {
String userResponseToken = response.getTokenResult();
if (!userResponseToken.isEmpty()) {
siteVerifyRequest(userResponseToken);
}
}
};
OnFailureListener onFailureListener = new OnFailureListener() {
@Override
public void onFailure(@NonNull Exception e) {
if (e instanceof ApiException) {
ApiException apiException = (ApiException) e;
int statusCode = apiException.getStatusCode();
Log.d(TAG, "Error: " + CommonStatusCodes.getStatusCodeString(statusCode));
} else {
Log.d(TAG, "Error: " + e.getMessage());
}
}
};
SafetyNet.getClient(this).verifyWithRecaptcha(API_SITE_KEY)
.addOnSuccessListener(this, onSuccessListener)
.addOnFailureListener(this, onFailureListener);
}
Verify User Response:
After getting valid token you need to verify user token. To verify token need to follow a simple step.
Make an API request on URL
https://www.google.com/recaptcha/api/siteverify
Method: POST
Post Parameter will be:
{
"secret":"api_secret_key",
"response":"user_token",
"remoteip":"your_remote_id"
}
Secret Key: Shared key between site and reCaptcha, Required
Response: The user token provided by reCaptch, Required
Remote IP: User’s IP address, Optional
e.g using retrofit for make post request.
private void siteVerifyRequest(String tokenResult) {
VerifyData data = new VerifyData();
data.response = tokenResult;
data.secret = API_SECRET_KEY;
data.remoteip = REMOTE_IP;
Gson gson = new GsonBuilder()
.setLenient()
.create();
Retrofit retrofit = new Retrofit.Builder()
.baseUrl("https://www.google.com/")
.addConverterFactory(GsonConverterFactory.create(gson))
.build();
GitHubService service = retrofit.create(GitHubService.class);
Call<VerifyResponse> verify = service.verify(data);
Callback<VerifyResponse> callback = new Callback<VerifyResponse> () {
@Override
public void onResponse(@NonNull Call<VerifyResponse> call,
Response<VerifyResponse> response) {
Log.e(TAG, "You are no a robot");
} @Override
public void onFailure(@NonNull Call<VerifyResponse> call,Throwable t) {
Log.e(TAG, "fail: " + t.getMessage());
}
};
verify.enqueue(callback);
}
public interface GitHubService {
@POST("recaptcha/api/siteverify")
Call<VerifyResponse> verify(@Body VerifyData user);
}
class VerifyResponse extends APIResponse {
}