I built a one-tap consent OTP-verification for my android app as per: https://developers.google.com/identity/sms-retriever/user-consent/request
The only difference in my code is that I changed
override fun onCreate(savedInstanceState: Bundle?) {
// ...
val intentFilter = IntentFilter(SmsRetriever.SMS_RETRIEVED_ACTION)
registerReceiver(smsVerificationReceiver, SmsRetriever.SEND_PERMISSION, intentFilter)
}
in the article, to:
// ...
val intenetFilter = IntentFilter(SmsRetriever.SMS_RETRIEVED_ACTION)
registerReceiver(smsBroadcastReceiver, intenetFilter)
I removed the SmsRetriever.SEND_PERMISSION
because I get a type mismatch error as shown in the image: This may be because Google states here that This permission setting is available in Google Play services version 19.8.31 or higher.
However, I am using
implementation 'com.google.android.gms:play-services-auth:19.2.0'
implementation 'com.google.android.gms:play-services-auth-api-phone:17.5.1'
in my build gradle. I don't think there is a 19.8.31 version of play-services-auth available for download yet.
So then I tried another way by adding the following permission for my broadcast receiver in my android manifest:
<receiver
android:name=".ui.otpVerification.SmsBroadcastReceiver"
android:exported="true"
android:permission="com.google.android.gms.auth.api.phone.permission.SEND">
<intent-filter>
<action android:name="com.google.android.gms.auth.api.phone.SMS_RETRIEVED" />
</intent-filter>
</receiver>
And I thought this would solve the intent vulnerability issue because I am setting SEND_PERMISSION
permission for my receiver as mentioned in https://support.google.com/faqs/answer/9267555
However, when I created a new release and submitted it for review, I still got the same notification returning an Intent Redirection Vulnerability. Is there anything that I am doing incorrectly? Anything else I need to consider?
I added the following instead and it worked.
// ...
val intenetFilter = IntentFilter(SmsRetriever.SMS_RETRIEVED_ACTION)
registerReceiver(smsBroadcastReceiver, intenetFilter, SmsRetriever.SEND_PERMISSION, null)
Didn't need to do anything on Android Manifest. Only changed the line above.