SMS Retriever API How to retrieve SMS sender Number

Question

Is it possible to get the Mobile Number of SMS that I have received in android? We are trying to authenticate the user's mobile number by sending SMS and getting it from the operator, but the next steps involved authenticating by reading the SMS. The problem that we are facing is, if I send the same message from any other mobile device, there is no way of authenticating the originating SMS number. It blindly reads the SMS.

Answer 1

Getting the sender's mobile number using SMS Retriever API would be a nice option to have in order to avoid the false SMS retrieval. But unfortunately, you cannot get the sender's mobile number for the SMS that you've retrived using this API as of now. This feature may come in future releases.

But if you're already having OTP verification mechanism, there's nothing to worry because...

1. SMS Retriever API has already some authorization mechanism which reduces the possibility of such false SMS retrieval cases. For example, All the SMS which are read using SMS Retrieval API are having an 11-character hash string that identifies your app. Not everyone knows your app's hash string, hence the possiblity of getting an unauthorized SMS is very very low.
2. Even if you get a falsely crafted SMS which is sent by unauthorized party, the OTP you'll get from it won't be valid, hence there's no chance of unauthorized verification.

BONUS

Google has also released a new API called SMS User Consent API, which has the capabilities to auto fill the OTP with One Tap. Luckily, this API also offers sender's mobile number filtering. Meaning, if your SMS provider sends you SMS from a specific mobile number, you can specify it in your code and it'll read SMS received only from that mobile number.

Reference:

SMS Retriever API: https://developers.google.com/identity/sms-retriever/overview

SMS User Consent API: https://developers.google.com/identity/sms-retriever/user-consent/overview