Automatic SMS verification with SMS retriever API in Android
Nowadays, SMS verification is the best way that is being used by mobile applications for login purpose. There are many ways to automatically fill the OTP field by reading the message in our phone using READ_SMS permission. But, Google has strictly prohibited the usage of that permission for security purposes. You can read the full explanation here.
Since we can’t use the READ_SMS permission anymore, Google has given some other choices to implement automatic SMS verification using SMS Retriever API. With the SMS Retriever API, we can perform SMS-based user verification in our Android app automatically, without requiring the user to manually type verification codes, and without requiring any extra app permissions
* No need any sms permission for sms retriever api
In this article, we will learn our SMS Retriever API and see how this can be easily used for SMS verification. So, let’s get started.
Prerequisites
The SMS Retriever API is available only on Android devices with Play services version 10.2 and newer.
Step 01
Add the dependency in-app level Gradle file:
Step 02
Create SMS Broadcast Receiver to receive the message:
When a client’s phone receives any message containing a unique string, SMS Retriever API will broadcast the message with SmsRetriever.SMS_RETRIEVED_ACTION intent. Then, we should use a broadcast receiver to receive the verification message. In the BroadcastReceiver
‘s onReceive
handler, we will get the text of the verification message from the Intent’s extras, then extract the verification code with regular expression:
Step 03
Init & Register the SMS Broadcast Receiver:
- Init this
BroadcastReceiver
with the intent filterSmsRetriever.SMS_RETRIEVED_ACTION
inonCreate()
- Register the receiver in
onResume()
- Unregister the receiver in
onPause()
Start Sms Retriver API in onCreate()
Full MainActivity
class looks like this:
Our coding is done! Now its time to construct the message.
** Construct Verification Message
Yes SMS retriever API doesn’t require any permission, but you have to make sure that the message follow these criteria:
- Be no longer than 140 bytes
- Contain a one-time code
- End with an 11-character hash string that identifies your app
For example:
Your ExampleApp code is: 123456
FA+9qCX9VSu
Computing your app’s hash string
Google Play services uses the hash string to determine which verification messages to send to your app. The hash string is made of your app’s package name and your app’s public key certificate. To generate the hash string:
Let’s create a class named is AppSignatureHelper and paste the below code. This is the simplest way to get hash string. You can generate using CMD as well. Once you got hash string then that deletes helper class.
However, if you use the helper class, be sure to remove it from your app after you get the hash string. Do not use hash strings dynamically computed on the client in your verification messages.
Send the verification message by SMS
After you construct the verification message, send the message to the user’s phone number using any SMS system.
** Things you must do **
- Once you completed get the hash code to remove the AppSignatureHelper class from your project before going to live or production.
- In Android, Debug and Release APK’s have different hash string, Kindly make sure you get hash code from release build.
Be sure to give claps if you find something useful from this article. Find the source code from GitHub here.
Happy Coding :)