Flutter/Firebase verifyPhoneNumber() on Android always calls recaptcha "Verifying you're not a robot"

Question

What configuration and where -- do I need to make it -- for Android to stop recaptcha as part of the Firebase verifyPhoneNumber() flow?

See screen recording.

Before the robots verification in browser opens, this is logged: "SafetyNet Attestation fails basic integrity".

I've verified the following:

1. Enabled Android Device Verification for my project. However, that did nothing.
2. Removed Firebase Analytics and other dependencies as many SO posts suggest, but still to no avail.
3. I had already added my SHA1, but also added my SHA256 to Firebase project settings.
4. To rule out some kind of dependency issue in my app, I created a brand new bare-bones flutter app with zero dependencies other than Firebase Core and Auth and the typical setup required for Firebase in Flutter. Same things happens (screen recording).
5. Update - possible answer here: The docs state: "reCAPTCHA verification: In the event that SafetyNet cannot be used, such as when the user does not have Google Play Services support, or when testing your app on an emulator, Firebase Authentication uses a reCAPTCHA verification to complete the phone sign-in flow." I guess it is working according to the docs, but there are plenty of posts on SO where users state they've been able to overcome this even in the emulator.

This app is not published to Google Play, just testing in Emulator and on physical Android devices.

Something changed in Firebase, but I can't find any documentation stating how to overcome recaptcha on Android for Firebase verifyPhoneNumber().

After the recaptcha returns, codeSent returns and the other verifyPhoneNumber() params work just fine.

await FirebaseAuth.instance.verifyPhoneNumber(
  phoneNumber: '$_countryCode$_phoneNumber',
  verificationCompleted:(PhoneAuthCredential credential) {
    print('verificationCompleted');
  },
  verificationFailed: (FirebaseAuthException e) {
    print('verificationFailed');
  },
  codeSent: (String verificationId, int resendToken) {
    print('codeSent');
  },
  codeAutoRetrievalTimeout: (String verificationId) {
    print('codeAutoRetrievalTimeout');
  },
);

[

Answer 1

Firebase Phone Auth has been updated since I last used it.

The docs state:

reCAPTCHA verification: In the event that SafetyNet cannot be used, such as when the user does not have Google Play Services support, or when testing your app on an emulator, Firebase Authentication uses a reCAPTCHA verification to complete the phone sign-in flow.

It was surprising to me to see the reCAPTCHA after not having seen it prior and so I thought I had some settings incorrect somewhere.

Just a good safety feature and works seamlessly with Firebase Phone Auth.

Answer 2

Another thing to note is that this problem still occurs on a real device when Android Device Verification is not enabled in Google Cloud Platform.

The docs state:

In the Google Cloud Console, enable the Android DeviceCheck API for your project. The default Firebase API Key will be used, and needs to be allowed to access the DeviceCheck API.