Using Google’s SafetyNet reCAPTCHA API with Android

Published in

Quick Code

2 min readJan 28, 2018

The SafetyNet service includes a reCAPTCHA API that you can use to protect your app from malicious traffic.

reCAPTCHA is a free service that uses an advanced risk analysis engine to protect your app from spam and other abusive actions.

Step 1: Go through reCAPTCHA Terms of Service

Please read and understand all applicable Term of Service before accessing the APIs.

Step 2: Registering a reCAPTCHA key pair

To register a key pair go to reCAPTCHA Android signup site , add a unique label for your key, provide the package name of your each app that uses this API key and grab the site key and secret key that appear on the next page.

Step 3: Adding a SafetyNet API dependency

apply plugin: 'com.android.application'
...
dependencies {
    compile 'com.google.android.gms:play-services-safetynet:11.8.0'
}

Step 4: Finally it is time to be Human 😎

Wherever you want to invoke the captcha widget use the following code:

SafetyNet.getClient(this).verifyWithRecaptcha(YOUR_API_SITE_KEY)
        .addOnSuccessListener((Executor) this,
            new OnSuccessListener<SafetyNetApi.RecaptchaTokenResponse>() {
                @Override
                public void onSuccess(SafetyNetApi.RecaptchaTokenResponse response) {
                  // Indicates communication with reCAPTCHA service was successful.
                 String userResponseToken=response.getTokenResult();
                    if (!userResponseToken.isEmpty()) {
                       // Validate the user response token using the
                       // reCAPTCHA siteverify API.
                    }
                }
        })
        .addOnFailureListener((Executor) this, new OnFailureListener() {
                @Override
                public void onFailure(@NonNull Exception e) {
                    if (e instanceof ApiException) {
                     ApiException apiException = (ApiException) e;
                     int statusCode = apiException.getStatusCode();
                    } else {
                        // A unknown type of error occurred.
                        Log.d(TAG, "Error: " + e.getMessage());
                    }
                }
        });

Step 5: Final step validate the user’s response token on server

When the reCAPTCHA API executes the onSuccess() method, the user has successfully completed the CAPTCHA challenge & we still need to validate the user’s response token from backend server.

So for that, you need to send a post request to URL:

API Request URL : https://www.google.com/recaptcha/api/siteverify

Method : POST

POST Parameter :

secret — Required. The shared key between your site and reCAPTCHA.
response — Required. The user response token provided by reCAPTCHA, verifying the user on your site.
remoteip — Optional. The user’s IP address.

API Response :

{
  "success": true|false,
  "challenge_ts": timestamp,  // timestamp of the challenge load 
  "apk_package_name": string, // the package name of the app
  "error-codes": [...]        // optional
}

Happy coding :)

Conclusion

You now know how to use the SafetyNet reCAPTCHA API to secure your Android app and back-end infrastructure against bots. You don’t have to worry about automated signups, screen scrapers, or bot-generated spam any more.

If you like this article, do give it a thumbs up, comment on it and share with with your friends.

Please click 👏 button below a few times to show your support! ⬇⬇ Thanks! Don’t forget to follow Quick Code below.

Find out Free courses on Quick Code for various programming languages. Get new updates on Messenger.