Sms retriever api android

Automatic SMS verification with SMS retriever API in Android

Nowadays, SMS verification is the best way that is being used by mobile applications for login purpose. There are many ways to automatically fill the OTP field by reading the message in our phone using READ_SMS permission. But, Google has strictly prohibited the usage of that permission for security purposes. You can read the full explanation here.

Since we can’t use the READ_SMS permission anymore, Google has given some other choices to implement automatic SMS verification using SMS Retriever API. With the SMS Retriever API, we can perform SMS-based user verification in our Android app automatically, without requiring the user to manually type verification codes, and without requiring any extra app permissions

* No need any sms permission for sms retriever api

In this article, we will learn our SMS Retriever API and see how this can be easily used for SMS verification. So, let’s get started.

Prerequisites

The SMS Retriever API is available only on Android devices with Play services version 10.2 and newer.

Step 01

Add the dependency in-app level Gradle file:

Step 02

Create SMS Broadcast Receiver to receive the message:

When a client’s phone receives any message containing a unique string, SMS Retriever API will broadcast the message with SmsRetriever.SMS_RETRIEVED_ACTION intent. Then, we should use a broadcast receiver to receive the verification message. In the BroadcastReceiver ‘s onReceive handler, we will get the text of the verification message from the Intent’s extras, then extract the verification code with regular expression:

Step 03

Init & Register the SMS Broadcast Receiver:

• Init this BroadcastReceiver with the intent filter SmsRetriever.SMS_RETRIEVED_ACTION in onCreate()
• Register the receiver in onResume()
• Unregister the receiver in onPause()

Start Sms Retriver API in onCreate()

Full MainActivity class looks like this:

Our coding is done! Now its time to construct the message.

** Construct Verification Message

Yes SMS retriever API doesn’t require any permission, but you have to make sure that the message follow these criteria:

• Be no longer than 140 bytes
• Contain a one-time code
• End with an 11-character hash string that identifies your app

Computing your app’s hash string

Google Play services uses the hash string to determine which verification messages to send to your app. The hash string is made of your app’s package name and your app’s public key certificate. To generate the hash string:

Let’s create a class named is AppSignatureHelper and paste the below code. This is the simplest way to get hash string. You can generate using CMD as well. Once you got hash string then that deletes helper class.

However, if you use the helper class, be sure to remove it from your app after you get the hash string. Do not use hash strings dynamically computed on the client in your verification messages.

Send the verification message by SMS

After you construct the verification message, send the message to the user’s phone number using any SMS system.

** Things you must do **

• Once you completed get the hash code to remove the AppSignatureHelper class from your project before going to live or production.
• In Android, Debug and Release APK’s have different hash string, Kindly make sure you get hash code from release build.

Be sure to give claps if you find something useful from this article. Find the source code from GitHub here.

Источник

Android automatic SMS verification — Google’s SMS retriever API

As time passes android is getting better in all means for example security, from Android M google has provided the users to have control over permissions like Read SMS, Storage, Contacts, etc. Now Google allows only one app at a time to read and manage your messages i.e only your default messenger app of your choice(I think it was the most necessary step).
As Google is preventing apps to read SMS it has introduced SMS Retriever API to give access to the messages received from there servers to continue with tasks like Autofill OTP, e.t.c.

Message Format

Before getting into action you should know the new format of OTP messages introduced by Google. Have a look at the format

By a glance at the format, you might have an idea. let me explain it briefly,
there two conditions we should follow

1. The message should start with , that will indicate this is an OTP message to the system.
2. The message should end with Hashcode generated using command prompt or AppSignatureHelper class, Based on this hashcode system will pass the message to the respective app. how to generate hashcode will be explained in the following steps.

The image below represents how SMS Retriever API works

Источник

Sms retriever api android

Automatic SMS Verification with the SMS Retriever API

This sample code is in JAVA, As per Google’s new policy with the SMS Retriever API, you can perform SMS-based user verification in your Android app automatically, without requiring the user to manually type verification codes, and without requiring any extra app permissions.

Warning as per the new policy

• Google restricts which Android apps can request Call Log and SMS permissions
• Only apps selected as the device’s default app for making calls or sending text messages will be able to access call logs and SMS data from now on.

Alert — this app will be impacted by a policy change. This app will be impacted by a change in the Google Play policy governing the use of SMS and CALL_LOG permissions. Apps that are not compliant may be removed from Google Play on Jan 9th, 2019.

• Enter or pick mobile number from smart lock hint selector and initiate SMS verification call to your server.
• App request your server to verify the entered mobile number.
• Your app calls the SMS Retriever API at the same time and listening for an SMS from your server.
• Your server sends an SMS message that includes a verification code and a hash to identify your app.
• When user’s device receives the SMS message, SMS Retriever API reads the SMS in your app.
• App extract verification code from SMS and sends to your server for code verification.
• Your server receives the verification code and after validating it can return success response to proceed.

The SMS Retriever API is available only on Android devices with Play services version 10.2 and newer.

The standard SMS format is given blow.

SMS alwayse starts with sign and have a hash key FA+9qCX9VSu to identify your app it is generated with your app’s package id. You just need to get this has key from app and share with your server. In next few steps you will see how to create hash keys.

AppSignatureHashHelper class is responsible to get Hash key associated with your app as per your packege id. This is only one time required to get your app’s hash key it would always be same unless you are changing app’s package id.

Declare this SMSReceiver in your app’s manifest file in side application tag.

Create SMSReceiver class that will listen SMS and extract code and create OTPReceiveListener that will communicate with Activities/Fragments.

Create SMSReceiver listener and Initiate SmsRetrieverClient.

You will receive OTP in call back methods implemented in you Activity/Fragment.

Obtain User’s Phone Number From Smart lock hint slector

How to run a sample

Clone or download the project open it with Android Studio compile and run it will work.

Server Side Implementation / SMS Guide

Источник

Android SMS Retriever​ API: To Auto Verify SMS

Content posted here with the permission of the author Chandrashekhar Sahu, who is currently employed at Josh Software. Original post available here.

The Android app needs SMS receive/read permission to retrieve SMS content.

Imagine an application where the use case is to get the SMS only for validating the user using OTP. And rest of the app does not use SMS reading feature again. Then in this case, it is a waste of the resources & time and of course code to check the SMS permissions.

To solve this problem, Google has introduced SMS Retriever API, this API allows to retrieve the OTP without needing of the SMS permission in your application.

Image Credit: Google

Dependency for SMS Retriever API

Obtain the user’s phone number (Phone Selector API)

First, we need the number of the user on which the OTP will be received. We create a hint request object and set the phone number identifier supported field to true.

Then, we get a pending intent from that hint request for the phone number selector dialogue.

Once the user selects the phone number, that phone number is returned to our app in the onActivityResult() .

Start the SMS retriever

When we are ready to verify the user’s phone number, get an instance of the SmsRetrieverClient object. Will call startSmsRetriever and attach success and failure listeners to the SMS retrieval task:

Our server can then send the message to the phone using existing SMS infrastructure or service. When this message is received, Google Play services broadcasts an intent which contains the text of the message.

We need to register this BroadcastReceiver in our Manifest file as follows

Construct a verification message:

When our server receives a request to verify a phone number, first construct the verification message that you will send to the user’s device. This message must:

• Be no longer than 140 bytes
• Begin with the prefix
• Contain a one-time code that the client sends back to your server to complete the verification flow (see Generating a one-time code)
• End with an 11-character hash string that identifies your app (see Computing your app’s hash string)

Otherwise, the contents of the verification message can be whatever you choose. It is helpful to create a message from which you can easily extract the one-time code later on. For example, a valid verification message might look like the following:

Optional: Save the phone number with Smart Lock for Passwords

Optionally, after the user has verified their phone number, We can prompt the user to save this phone number account with Smart Lock for Passwords so it will be available automatically in other apps and on other devices without having to type or select the phone number again.

Источник

Automatic SMS Verification Android

In this post, I’m going to show you how to implement automatic SMS verification with SMS Retriever API. Using SMS Retriever API you can perform SMS verification in your app automatically, without requiring extra permission.

Table of Contents

• Automatic SMS Verification Demo App
• Introduction
• Why you should use SMS Retriever API
• Understand the SMS verification process
• Step of ImplementationAdd gradle dependency in-app level
• Retrieve user’s content from the Phone
• Start SMS Retriever
• Create an SMS Broadcast Receiver
• Register SMS broadcast receiver in AndroidManifest
• Initiate the request for OTP
• Get SMS format & verification code in SMS Broadcast Receiver
• Test the Demo App
• Things you must do
• Technology Used
• Conclusion

1. Automatic SMS Verification Demo App

2. Introduction

I shared step by step process to implement automatic SMS verification in your Android App. Before that, Let’s understand the flow of SMS verification process.

The above figure gives you little bit clarity on SMS verification.

3. Why you should use SMS Retriever API

Google change some critical changes in policy. From Jan 19th, 2019 google removed all app from play store with permission CALL_LOG and READ_SMS

4. Understand the SMS verification process

Earlier, when user had to login in android app on Android Platform, They enter mobile number to receive OTP. Then they gives READ_SMS permission to app for reading SMS. Recently Google had made some important change in its policy. Now Android Platform removes this permission due to data security reasons. So now you have to copy code received through SMS. Go back to the app and enter that code manually to log in.

For overcoming this process, Google introduced SMS Retriever API to automatically fetch a verification code sent via SMS within the app. This way, user was not required to manually enter the code every time. Let’s follow the these given step to implement Automatic SMS Verification in an Android App.

5. Step of Implementation

Now, I will explain you step by step process to implement automatic SMS verification in your Android App

5.1 Add gradle dependency in-app level

Add the below lib in app level build.gradle for integrating SMS Retriever API in your project

5.2 Retrieve user’s content from the Phone

Obtain the phone number from device through hint picker for do that follow below step

• Setup Google API Client

• Get an available number in user phone

• Get Selected Number in onActivityResult

5.3 Start SMS Retriever

Once user submitted the phone, we should initiate SMS retrieval task

5.4 Create an SMS Broadcast Receiver

Let’s create a Broadcast Receiver to receive SMS from SMS retriever API

Create a listener that send the OTP to activity or fragment

5.6 Register SMS broadcast receiver in AndroidManifest

Open the Android Manifest and register the receiver with intent filter

5.7 Open activity_main.xml and paste below code

5.8 Initiate the request for OTP

Call server API for requesting OTP and when you got success start SMS Listener for listing auto read message listener

5.9 Get SMS format & verification code in SMS Broadcast Receiver

This receiver will receive the OTP and pass to the activity where you can finish authentication.

The full source code of MainActivity.java

6. Test the Demo App

When sever receive the request to OTP via REST API, Server will send OTP message to device. You have to follow below message format.

Message Format Must Be –

Google introduced a new format for OTP message. Follow below SMS format

• Prefix:
  • The message should start with
• Content: Your OTP is: 156367
• Postfix: Application key hash from Keystore (Debug or Release) eg. T61bL03HCN8
  • The message should end with hashcode. It received from LOG CAT generated by the AppSignature helper. Based on this system will pass the message to the respective app.

Let’s check below Example

You OTP is: 156367 T61bL03HCN8

For server side code you can follow below link

7. How to get APK’s hashcode for SMS construction

Let’s create a class named is AppSignatureHelper and paste the below code. This is the simplest way to get Hashcode. You can generate using CMD as well. Once you got hashcode than that deletes helper class.

Call getAppSignatures() methods in application onCreate()

8. Things you must do

• Once you completed get the hash code to remove the AppSignatureHelper class from your project before going to live or production.
• In Android, Debug and Release APK’s have different Hashcode, Kindly make sure you get hash code from release build.

9. Technology Used

Tool: Android Studio v3.3 with API 28 (Pie 9.0), SDK
Language: Java, XML

Conclusion

With the help of this android app tutorial, We have learned how to implement automatic SMS verification using SMS Retriever API. Later I will upload APK and Source code as well, So you can get source of this demo app.

Get Solution Code

If you have any comments and queries please put your comment below. If you looking to integrate the automatic SMS verification process in your android project, Feel free to content us.

Источник