0

I want to authenticate phone number Firebase with SafetyNet and not reCAPTCHA verification. I am following the Firebase documentation here: https://firebase.google.com/docs/auth/android/phone-auth

  • In the Google APIs Console I enabled the Android Device Verification API.
  • In the Firebase console I added the SHA-256 fingerprint.
  • Reinstalled google-service.json and added it to the project.

It always redirects me to a web page to verify I am not a robot. I tried removing

implementation 'androidx.browser:browser:1.3.0'

But the app crashes.

This is the code I am using for SafetyNet and it always succeeds but then shows the web page. I want to know how to prevent the app from always redirecting to reCAPTCHA verification although the attest function works fine.

private fun checkSafetyNet() {
        if (GoogleApiAvailability.getInstance().isGooglePlayServicesAvailable(context)
            == ConnectionResult.SUCCESS
        ) {
            val nonce =
                (getString(R.string.app_name) + Random.nextInt(100) + getString(R.string.otp_verification)).toByteArray()
            SafetyNet.getClient(this.requireActivity())
                .attest(nonce, API_KEY)
                .addOnSuccessListener {
                    // Indicates communication with the service was successful
                    setFirebasePhoneVerificationCallbacks()
                    startPhoneNumberVerification()
                }.addOnFailureListener { e ->
                    // An error occurred while communicating with the service.
                    if (e is ApiException) {
                        // An error with the Google Play services API contains some
                        // additional details.
                        val apiException = e as ApiException
                        Log.i("SAFETYERROR", apiException.message.toString())
                        // You can retrieve the status code using the
                        // apiException.statusCode property.
                    } else {
                        // A different, unknown type of error occurred.
                        Log.d("SafetyNetError", "Error: " + e.message)
                    }
                }

        } else {
            // Prompt user to update Google Play services.
        }
    }
Ichigo Kurosaki
  • 3,765
  • 8
  • 41
  • 56
Doha
  • 325
  • 2
  • 13

1 Answers1

3

As per firebase the reCAPTCHA flow will only be triggered:

  1. When SafetyNet is unavailable.

  2. If the user does not have Google Play Services support or When you are testing your app on an emulator.

  3. Your device does not pass suspicion checks.

If your device is rooted or device bootloader is in UNLOCKED state then due to 3rd case, app reCAPTCHA verification will be visible.

Check your app logs for tag "SafetyNet" and confirm if your device bootloader is locked or unlocked .

In case of unlocked bootloader safetyNet will give advice LOCK_BOOTLOADER like mentioned in screenshot .Logs Example :

"SafetyNetAttestationVerifier E No SafetyNet AttestationResponse passed."

"SafetyNetAttestationVerifier E Unable to parse SafetyNet AttestationResponse"

"SafetyNetAttestationVerifier E SafetyNet Attestation fails basic integrity."

"SafetyNetAttestationVerifier E SafetyNet Attestation has advice: XXXXXXXX"

In case of unlocked bootloader

Himanshi Thakur
  • 2,077
  • 14
  • 32