Let's assume that my app doesn't send any device identifier to my server. But it uses Firebase for SMS authentication.
If a user logs in, then enables VPN, reinstalls my app, and now tries to login with a different phone number, how can I detect server side that it's still the same device during the use of Firebase flow?
But it uses Firebase for SMS authentication.
As far as I know, when you receive an SMS, there are no metadata present so you can identify a device.
If a user logs in, then enables VPN, reinstalls my app, and now tries to login with a different phone number, how can I detect server side that it's still the same device during the use of Firebase flow?
Without writing something that uniquely identifies the device into a database and checking that unique value each time a user tries to sign in again, it's hard to know that. Even if you write such hardware-based identifiers, like IMEI, MAC, Serial Number, etc., you cannot rely on that data for non-google devices (except Pixels and Nexuses). According to the official documentation regarding Android identifiers best practices it clearly states that:
Avoid using hardware identifiers, such as IMEI, MAC address, etc...