Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

How to disable Firebase Phone Auth Android auto-sign-in (onVerificationCompleted callback)

Tags:

android

firebase

firebase-authentication

Is there a way to disable Android "instant verification" (automatically signing in) with Firebase Phone Auth? There is a way to disable "auto-retrieval" by setting the timeout of verifyPhoneNumber to 0 (Reference: https://firebase.google.com/docs/reference/android/com/google/firebase/auth/PhoneAuthProvider.html). However I cannot find a documented way to disable instant verification.

I am asking because of a potential security issue: removing the SIM card from a device still auto-signs in that user! In other words, a user using another person's old device could be able to sign in using their old phone number. Here are the reproduction steps:

  • Be on Android, on a device with a functional SIM card
  • Sign in using the number associated with that SIM card
  • This triggers auto-sign-in
  • Sign out
  • Turn device off and remove SIM card
  • Turn device back on and attempt signing in with that same number

Observed behavior: The user is auto-signed in, despite not having the appropriate SIM card

Expected behavior: If the user's device does not have a SIM card that is associated with the entered phone number, they are not auto-signed-in and an SMS text message is sent to that number.

like image 899
ian Avatar asked Jul 27 '17 16:07

ian

2 Answers

Update, 11.5.09 should have reached almost all users' devices. Instant validation will be stopped after a SIM card change. And you can also use this trick for manual testing purpose.

In an upcoming Google Play services v11.5 release scheduled for late Q3, SIM card change will be auto-detected which will stop instant validation from working. The new release will be auto-pushed to users' devices and no SDK change is required.

To get the best UX and opt-in rate, it's better to wait for the Play services update rather than adding the scary runtime permission yourself (to read and compare phone number). Thanks for your patience!

like image 199
Isabella Chen Avatar answered Sep 28 '22 08:09

Isabella Chen

Unfortunately it seems that there isn't a way to disable Instant Verification at the moment.

After asking the devs to add this feature (actually for a different reason), I was replied that it will be added to the feature request.

Perhaps you should add a comment there too, specifying your security findings. Maybe it will speed up the process of adding this feature :)

like image 39
Barak Avatar answered Sep 28 '22 08:09

Barak
Sign in to Comment

Related questions

RecyclerView inside SwipeRefreshLayout does not show
Display a NumberPicker on an AlertDialog
How to embed a website into an Android App?
Admob Security Exception : Permission Denial
Firebase sort by points depending on date
Inflate Exception in Google Map Fragment in ViewPager with TabLayout
Is there a way to set and app icon for Samsung devices specifically?
Observable.just() which returns Unit in Kotlin
Android ConstraintLayout: How to add a dynamic view one below another
Add a view programmatically in ConstraintLayout
Why do we need AppBarLayout when we are using CollapsingToolbarLayout?
Is it possible to update Android Manifest programmatically at runtime?
Clicks Does Not Working in WebView
How to get Google Play referer in an Android application
"projections are not allowed for immediate arguments of a supertype" Kotlin Android Studio
How to retrieve high quality compass orientation (as in Google Maps)?
How to build a media item? android
Testing a Fragment class in isolation using Mockito
Error in ionic cordova build android --prod
Same elevation of views looks different for top and bottom views

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!