The SMS Retrieve API allows mobile apps to automatically retrieve verification codes sent via SMS without requiring full SMS permissions. It works by having the app send a hash string associated with the app along with the verification message. When the user receives the SMS, the API detects the hash string and returns the verification code to the app without needing to read other SMS messages. This improves user experience by auto-filling verification codes and is more secure than requiring SMS permissions.

1. SMS Retrieve API

2. SMS Retrieve API
“Verify your users by SMS without making them deal with
verification codes. By using the SMS Retriever API, your app
can automatically retrieve verification codes intended for
your app, without having to request full SMS reading
permissions.”
• SMS permission is dangerous
https://developers.google.com/identity/sms-retriever/

4. App side Backend side
User’s phone
SMS
One-time code verified

5. Retrieve user’s phone

6. Prerequisite - dependencies
implementation 'com.google.android.gms:play-services-base:16.0.1'
implementation 'com.google.android.gms:play-services-identity:16.0.0'
implementation 'com.google.android.gms:play-services-auth:16.0.1'
implementation 'com.google.android.gms:play-services-auth-api-phone:
16.0.0'
implementation 'com.google.android.gms:play-services-basement:16.2.0'

7. Retrieve user’s phone
- fire request to play-service
val googleApiClient = GoogleApiClient.Builder(this)
.addApi(Auth.CREDENTIALS_API)
.build()
val hintRequest = HintRequest.Builder()
.setPhoneNumberIdentifierSupported(true)
.build()
val intent = Auth.CredentialsApi.getHintPickerIntent(
googleApiClient,
hintRequest
)
startIntentSenderForResult(intent.intentSender,
RESOLVE_HINT,
null,
0,
0,
0)

8. Retrieve user’s phone
- receive data from play-service
override fun onActivityResult(requestCode: Int, resultCode: Int, data:
Intent?) {
super.onActivityResult(requestCode, resultCode, data)
// Skip result checking code
val credential:Credential =
data!!.getParcelableExtra(Credential.EXTRA_KEY)
credential.getId() // <-- will need to process phone number string
}

9. SMS

10. SMS example
<#>
Your ExampleApp code is: 123ABC78
FA+9qCX9VSu

11. Send SMS back to user
• Message must
• Format
• <#> [your message] [11-character hash string that identifies
your app]
• Be no longer than 140 bytes

12. SMS - hash string
• https://github.com/googlesamples/android-credentials/blob/
master/sms-verification/android/app/src/main/java/com/google/
samples/smartlock/sms_verify/AppSignatureHelper.java

13. Verify SMS

14. Verify SMS
1. Start the SMS retriever
2. Receive verification messages

15. Verify SMS
- Start the SMS retriever
val client = SmsRetriever.getClient(this)
val task = client.startSmsRetriever()
task.addOnSuccessListener {
updateStatus("waiting")
}
task.addOnFailureListener {
updateStatus("fail")
}

16. Verify SMS
- Receive verification messages (1/2)
class MySMSBroadcastReceiver : BroadcastReceiver() {
override fun onReceive(context: Context, intent: Intent) {
if (SmsRetriever.SMS_RETRIEVED_ACTION == intent.action) {
val extras = intent.extras
val status = extras!!.get(SmsRetriever.EXTRA_STATUS) as Status
when (status!!.statusCode) {
CommonStatusCodes.SUCCESS -> {
val message = extras.get(SmsRetriever.EXTRA_SMS_MESSAGE)
as String
// <#> Your ExampleApp code is: 123ABC78
// FA+9qCX9VSu
}
CommonStatusCodes.TIMEOUT -> {
// Handle the error ...
}
}
}
}
}

17. Verify SMS
- Receive verification messages (2/2)
<receiver android:name=".MySMSBroadcastReceiver" android:exported="true">
<intent-filter>
<action
android:name="com.google.android.gms.auth.api.phone.SMS_RETRIEVED"/>
</intent-filter>
</receiver>

18. SMS retriever API

19. • No more SMS permission require
• https://play.google.com/about/privacy-security-
deception/permissions/
• Auto-fill OTP