2

so I'm new to android development (which doesn't mean that I don't understand other people's code, just hands-on experience wise) and currently working on an android app. The app was made by the previous person who left the job for which I was recently hired. The problem is, since Google has updated their policies not allowing us to use permissions such as READ_SMS and RECEIVE_SMS, the app that the previous person made, is not being approved by Google for uploading to the play store.

My question, is there any way by which I can either replace firebase authentication with SMS retriever API but using firebase at the end? Or is there any other way by which I can authenticate the user based on the OTP sent by firebase but without permissions for RECEIVE_SMS or READ_SMS??

Currently, I've checked out SMS Retriever and seems fit for our app, but don't know if we can still go on to use firebase.

Doug Stevenson
  • 297,357
  • 32
  • 422
  • 441
Krishna Chhabria
  • 31
  • 2
  • 4

2 Answers2

4

You don't really need SMS retriever API for Firebase Auth on Android. It will automatically read the SMS code and initialize the PhoneAuthCredential and pass it via the onVerificationCompleted callback to complete sign-in.

"Auto-retrieval: on some devices, Google Play services can automatically detect the incoming verification SMS and perform verification without user action. (This capability might be unavailable with some carriers.)"

You also get the benefit of instant verification where no SMS is even sent.

You can check the official docs to learn more.

bojeil
  • 29,642
  • 4
  • 69
  • 76
  • That's the functionality I have to remove. You see, google is not allowing us to use RECEIVE_SMS and READ_SMS permissions and hence I'm finding an alternative way to this. Can you at least tell me how can I replace this whole thing with SMS retriever API? – Krishna Chhabria Aug 06 '19 at 11:20
  • It says that: This uses the SMS Retriever API, which includes an 11 character hash at the end of the SMS message. How to add the 11 character hash at end of OTP message sent by firebase? – Arjun May 12 '21 at 09:25
  • In these two case do we need to add sms reading permission and ask user to give that permission explicitly? – Dipak Jun 01 '21 at 01:03
0

If you want to use Firebase Authentication as the registry for your users, so you can use security rules and integrate with other Firebase products, but want to provider your own mechanism to create and validate those users, you're going to have to implement a custom authentication provider. This requires that you provide your own backend to do all your auth work securely. You will not be able to trust the client app (even if you wrote the whole thing, as it might be compromised) to be secure enough to truly validate the claims of the end user.

The whole process is too much to explain in a single Stack Overflow answer, so please read the documentation to understand how custom auth works.

Doug Stevenson
  • 297,357
  • 32
  • 422
  • 441