Google’s SMS retriever API (making OTP verification pain free)

Image credit: Google

With the Major of release of Android OS Version 6.0 Marshmallow, Google change the way applications access the user’s data by Introducing the System Permissions.

Image credit: Google

Android divided system permissions into 2 parts,

1. Normal Permissions
2. Dangerous Permissions

There are also another type of permission called Special Permissions which includes SYSTEM_ALERT_WINDOW, WRITE_SETTINGS like permissions which are used less often.

Imagine an application where your use case is to get the SMS only for the use of validating the user with OTP. In your whole application you are not using that SMS reading feature again.

It is waste of the resources and time and code to check the SMS permission. Here Google came to save you with the SMS retriever API. This api allows to retrieve the OTP without needing of the SMS permission in your application.

Lets get started with today’s topic, Following is the process of making your app SMS retriever API ready.

First, You need the number of the user on which the OTP will be received, you can get the user’s phone number through HintRequest in the onActivityResult().

In onActivityResult() you will receive the result of what user has selected. If you do not get the number you can explicitly ask the user to enter the number to complete the registration flow

Before SMS arrives you need to start the SmsRetrieverClient for listening to the incoming message. Remember this process will wait max up to the 5 minutes.

Now you have the phone Number, Send the number to your back end server so they can send the OTP to the number you have sent to them.

You must have BroadcastReceiver to listener to any incoming message.

You need to register this BroadcastReceiver in your Manifest file as follows

The following change will take place at your back-end.

• The message must start from any of the following .
  * <#>
  * Two consecutive zero-width space characters (U+200B)
• Keep in mind that message must not exceeds 140 bytes
• Contain a one-time code
• And the special 11 character hash for you app. That Hash can be generated by the command.
• If you want to generate the hash with some class’s help then the class AppSignatureHelper is at you help. But remember to remove this class before production release from your build.

Here are some testing I have performed on the real device and the Emulator

1. I have tried testing the app through Fake SMS application which fakes the SMS arrived on the someone’s name. Though It didn’t work for me. At last Timeout fires in BroadcastReceiver.
2. I send the SMS to myself on real device and the emulator which in turn work out for me and I got the OTP message.

Above is the image of SMS sending to my self and retrieving on the same phone

If you want the whole code them Here’s my GitHub Repository.
Here’s the Google official page.

If this article helps you and you enjoyed this article , then please share it and hit the claps as much as you like.

Thanks ….