Automatic SMS Verification with SMS Retriever API in Android

Automate SMS verification in a secure way using SMS Retriever API.

In the older system, SMS or OTP detection required SMS permissions from the user. It was a common use case for apps to automatically detect OTPs while logging in through mobile verification. However, the READ_SMS and RECEIVE_SMS permissions were considered dangerous in terms of privacy, as they granted access to all sensitive SMS content. To address these concerns, Google has introduced SMS Verification APIs that handle this task securely.

What is SMS Retriever API?

The SMS Retriever API in Android is a functionality offered by Google Play Services, enabling developers to automatically retrieve verification codes sent via SMS without user involvement.

This API streamlines the process of verifying a user’s phone number for purposes like authentication, account registration, or login, commonly utilized by banking apps and social media platforms.

SMS verification process

1. For mobile number verification, you need to implement the client side first.
2. Afterward, the server-side completes the verification procedure.

Typically, you send the user’s phone number to the server for verification. The server then sends a one-time password (OTP) code to the provided phone number.

The SMS Retriever API listens for an SMS containing an OTP code. Upon receiving the code, it sends it back to the server to complete the verification process.

The SMS Retriever API architecture

• Client: The client is the Android app that uses the SMS Retriever API. The client must first generate an app hash and then request listening for a new SMS. When the client receives an SMS containing an OTP, the SMS Retriever API triggers the onCodeReceived() method of the client.
• Server: The server is responsible for storing the OTP sent to users. Once the client receives an SMS containing an OTP, the SMS Retriever API sends the OTP to the server. The server then verifies the OTP and sends a success or failure message to the client in response.
• Google Play services: Google Play Services is crucial in facilitating communication between the client and the server. Additionally, it authenticates both the client and the server, ensuring a secure and reliable connection.

Why do we need to use Automatic SMS Retriever API?

• Improved user experience: By automatically retrieving OTPs, you can eliminate the need for users to enter them manually. This can make your app more user-friendly and less frustrating to use.
• Increased security: By eliminating manual OTP entry, you can reduce the risk of phishing attacks and other forms of fraud. Further, SMS Retriever API does not use READ_SMS and RECEIVE_SMS permission, safeguarding user SMS information.
• Reduced development time: The SMS Retriever API is a relatively easy API to use, saving you time and money during development.
• Improved compatibility: The SMS Retriever API is compatible with all Android devices running Android 5.0 (Lollipop) or later.

Implementation of SMS Retriever API

1. Add the following dependency to your project’s build.gradle file:

implementation 'com.google.android.gms:play-services-auth:19.0.0'

2. Register the broadcast receiver with the SMS Retriever API:

SmsBroadcastReceiver receiver = new SmsBroadcastReceiver();

// Register the receiver to receive all SMS messages.
registerReceiver(receiver, new IntentFilter(SmsRetriever.SMS_RETRIEVED_ACTION)

Note: Please do not forget to unregister BroadcastReceiver in onDestroy() method for preventing Memory leaks.

3. Create a broadcast receiver to receive SMS:

public class SmsBroadcastReceiver extends BroadcastReceiver {
    @Override
    public void onReceive(Context context, Intent intent) {
        if (SmsRetriever.SMS_RETRIEVED_ACTION.equals(intent.getAction())) {
            Bundle extras = intent.getExtras();
            Status status = (Status) extras.get(SmsRetriever.EXTRA_STATUS);

            switch (status.getStatusCode()) {
                case CommonStatusCodes.SUCCESS:
                    // Verification code retrieved successfully
                    String message = (String) extras.get(SmsRetriever.EXTRA_SMS_MESSAGE);
                    // Process the message and extract the verification code
                    break;
                case CommonStatusCodes.TIMEOUT:
                    // SMS retrieval timed out
                    break;
            }
        }
    }
}

4. Call the startSmsRetriever() method to start listening for SMS:

SmsRetrieverClient client = SmsRetriever.getClient(context);
Task<Void> task = client.startSmsRetriever();

5. Register the BroadcastReceiver on Android Manifest:

<?xml version="1.0" encoding="utf-8"?>
<manifest 
    ...     >

    <application
        ...     >

        <receiver
            android:name=".MessageBroadcastReceiver"
            android:exported="true">
            <intent-filter>
                <action android:name="com.google.android.gms.auth.api.phone.SMS_RETRIEVED"/>
            </intent-filter>
        </receiver>
    </application>

</manifest>

6. The SMS will contain a one-time code that the user can use to verify their account.

7. When the user receives the SMS, your app will receive the one-time code through the broadcast receiver.

8. Your app can then send the one-time code to your server to verify the user’s account.

References

• SMS Verification APIs

Summing up

If you are developing an Android app that requires SMS verification, the SMS Retriever API is a great option. It can help improve the security, user experience, and development efficiency of your app.

So, keep experimenting!

Happy coding :)

Meanwhile, follow Simform Engineering blogs for more insights!