Why might I be seeing a reCaptcha when doing Phone Auth?
Why does a web browser open up in Android when requesting an OTP using Flutter and Firebase, and what it has to do with Play Integrity API ? Will the web browser stop appearing when the app is published on the Google Play Store, and if so, why ?
Why might I be seeing a reCaptcha when doing Phone Auth?
An attestation request needs to be completed before a OTP SMS message is sent to prevent fraud and abuse of the OTP service. Previously, when using OTP with an application, it would use SafetyNet to complete the attestation request. As a fallback in the event that SafetyNet could not complete successfully, reCaptcha would be used in place of SafetyNet.
Recently, SafetyNet was announced for deprecation and the Play Integrity API would take its place.
The Play Integrity API combines several integrity verdicts for developers to attest that the device and application can be trusted. In the case of authentication with OTP flows, the integrity verdicts are device integrity and application integrity. Both of those verdicts need to succeed in order for a successful OTP SMS message to be sent to users. In order to run device integrity, it runs something on the device to confirm that the device is a genuine device. In order for a successful application verdict to be returned, the application needs to have a matching SHA-1 and SHA-256 certificate fingerprint to that which is listed in Google Play.
Important
If you are not deployed to Google Play, get your app from a different app store with a different key, or are using a debug version of the app, the device verdict may succeed, but the application verdict may fail. This will cause the app to fallback to reCaptcha attestation rather than Google Play.
How do I get the right certificates registered?
In order to get the right certificate fingerprints registered in the Firebase console, you can check whether or not you use Google Play Signing (most apps do) and grab those fingerprints from Google Play:
Then, match those fingerprints to those registered in the Firebase console:
If you are still seeing reCaptcha messages after setting Google Play Signing fingerprints in the Firebase Console, then I would use Peter's Asset Link tool to confirm that the locally deployed version of the app (on your phone) has matching fingerprints:
If the fingerprints all match, but you are getting an error message that:
This request is missing a valid app identifier, meaning that Play Integrity checks, SafetyNet checks, and reCAPTCHA checks were unsuccessful. Please try again or check the logcat for more details.
This could be due to a missing SHA-1 or SHA-256 certificate fingerprint from either Google Play Signing, Debug Key, or Upload Key.
If you get reCaptcha attestation, but no SMS message
If you are getting a reCaptcha, but no SMS message after following the steps to register all the certificate fingerprints above, then one last effort you may want to do is validate that you do not have an Application Restriction in place on your Android key for Firebase. Here is a sample of what the preferred application restrictions should look like:
The Android app when falling back to reCaptcha will reuse the API key found in the google-services.json file. Since you are falling back to reCaptcha, the browser that is being used on the users device will have a different certificate fingerprint than your application, and therefore will send that certificate fingerprint instead of your applications. Therefore, since its falling back and sending a different certificate fingerprint, likely not in the allowlist pictured, it would fail reCaptcha with an error message like the one seen previously in this answer.
WARNING
If you are currently using this API key for things outside of Firebase (other paid Google services), you could run into a potential abuse of your API key. Please consider creating separate API keys as outlined in this documentation. This is also called out specifically in the documentation here.
What version of AppCheck do I need?
AppCheck and Phone authentication are two separate products. Yes, Phone authentication does use Play Integrity to complete its attestation request, but it embeds Play Integrity within its package and AppCheck is an unnecessary step to enable Phone Auth. Having said that, adding AppCheck is always a good idea to boost the security of your application as it will provide attestation to your client requests to specific Firebase endpoints.
One thing to note
There was also recently an outage regarding Firebase Phone Auth and Play Integrity, but that has been resolved since posting this message.
- Android Studio's project gradle file changed?
- how to solve Execution failed for task ':app:compileFlutterBuildDebug'
- how to fix Kotlin Multiplatform Mobile gradle red error
- Transparent stickyHeader shows items behind
- How to show tooltip in android jetpack compose
- how to add an icon in Dismissible in flutter?
- What's the easiest way to force Idea to generate the R.Java file?
- Cannot display Data from my layout viewBinding
- Android Activity Not Found Exception and BroadcastReceiver
- Permission denied when executing binary files on android targetSdkVersion>28
- How to send one to one message using Firebase Messaging
- how to hide keyboard after typing in EditText in android?
- Executing commands as root on API 31 + / File system access
- None of the following functions can be called with the arguments supplied
- Disable keyboard on EditText
- React-Native Manifest merger failed with multiple errors
- Android Hardware Acceleration - to use or not to use?
- Android Canvas: drawing too large bitmap
- adb error (error: protocol fault (couldn't read status): Invalid argument)
- How to use GoogleAPIClient (deprecated) with SMSRetriver API in Android
- Installing two apk using one apk
- OutOfMemoryError while decoding and encoding Base64 String into Bitmap
- Critical security vulnerability in reCAPTCHA Enterprise
- Android: Notification Shows in Delay And Stops Updating When App Closed for 30 Seconds (on OnePlus 8T)
- what to do when the java.lang.illegalSateException (Module entity with name: .... should be available) occurs?
- How do I create a table in Jetpack Compose?
- Why are the received messages not showing up in the UI?
- Best way to perform a GET request without any other libraries
- Android custom textview
- How can i pass a HashMap to a react-native android callback?