SMS Retriever API for Automatic SMS Verification (Secure Android OTP)
Why we should implement SMS Retriever API
From Jan 9th, 2019 Google will remove apps from playstore with permissions READ_SMS and CALL_LOG, if they don’t explain the necessity.
From Android M Google has provided the users to have control over permissions like Read SMS, Storage, Contacts, etc.
As Google is preventing apps to read SMS it has introduced SMS Retriever API to give access to the messages received from there servers to continue with tasks like Autofill OTP, etc.
Below image shows that how SMS Retriever API works.
Message Format
Before getting into action you should know the new format of OTP messages introduced by Google. Have a look at the format
<#> Your ExampleApp code is: Your verification code is 134567
SbgGot12oPBy taking a look at the format, you might have got an idea. Let me explain it briefly.
There are two conditions which should be followed:
- The message should start with <#>, that will indicate this is an OTP message to the system.
- The message should end with Hashcode generated using command prompt or AppSignatureHelper class, based on this hashcode system will pass the message to the respective app. About generating hashcode, I have explained in steps below.
Let’s start with Android side implementation. it takes only 5 Steps to integrate it.
Step 1
Import following dependencies in your module level gradle.
Step 2 (Optional)
Get phone number from hint picker as given below.
onActivityResult to retrieve phone number.
Step 3
Start SMS Retriever
After retrieving phone number, we should initiative SMS retrieve like below:
After obtaining phone number and started SMS retriever, you need to send the user’s phone number to your verification sever using any method.
Steps 4 (Create BroadcastReceiver to Receive verification messages)
register receiver in AndroidManifest.xml with intent filter com.google.android.gms.auth.api.phone.SMS_RETRIEVED
After receiving SMS, you have to pass it to your Activity.
Step 5
Now its time to implement AppSignatureHelper class mentioned above. As you have noticed the hashcode of your app in message format, you can generate this hashcode with command prompt which is a bit complicated for those who don’t have experience with command line terminal, so we take the simplest way to get Hashcode that is through AppSignatureHelper class, but
Be aware that you should remove AppSignatureHelper class from your code once you get the hashcode in LOGCAT.
Run AppSignatureHelper class in base application as show below
var appSignature = AppSignatureHelper(this)
appSignature.appSignaturesCommand line tool to generate hashcode.
keytool -exportcert -alias MyAndroidKey -keystore MyProductionKeys.keystore | xxd -p | tr -d "[:space:]" | echo -n com.example.myapp `cat` | sha256sum | tr -d "[:space:]-" | xxd -r -p | base64 | cut -c1-11Advantages of SMS Retriever API
Now you must have got an idea about SMS Retriever API, however let me share the benefits to android users, of using SMS Retriever API:
- With Android M, every app can not have READ_SMS permission to access your SMS inbox.
- Usually, to auto-fill OTP we give access to an android app it’s better to off that permission after the process is completed (else they will have access to each & every messages you have in the mobile), but how many will do that! With SMS Retriever API, apps won’t ask for READ SMS permission to auto-fill OTP.
If you have any difficulty in implementing or anything I have missed in the process, please let me know in the comments below.
Whether you believe or not but this is my very first try at writing blog and sharing my knowledge with the community. I am really excited and hoping to share more in coming future!
