I have the app deployed on the play store. The SHA1 and SHA256 are added in the firebase project settings. I'm using phone authentication to receive the OTP for the app. The message comes in the following format:
123456 is your verification code for APP_NAME.
LghSMNBa+V
Why is the random sting appearing? The code gets verified and it works fine but I don't want the random string to be sent along with the message.
Finally, I received a response from the Firebase Team. It was as follows:
Thanks for reaching out! This is Estefani and I’ll take care of this
case.
On some devices, Google Play services can automatically detect the
incoming verification SMS and perform verification without user
action. This uses the SMS Retriever API, which includes an 11
character hash at the end of the SMS message. Unfortunately, it is not
possible to change this behavior and the only thing I could do is
submit a feature request on your behalf so this behavior can be
removed, but even if I do there is no way to tell if it is going to be
implemented or not and even if it gets accepted it may take time to be
completed.
The issue appears to be rather Google Play Services-related than it would be Firebase-related. Besides, it is unclear how you output the String, as no code to reproduce had been provided.
The template string can be defined in Authentication > Templates > SMS Verification, where the default template string is: %LOGIN_CODE% is your verification code for %APP_NAME%.. No clue why it displays (likely some) ID, but one can simply split the string with message.split(".")[0].Index [1] may be an execution ID, which's log can be found in the GCP Log Explorer
When it displays APP_NAME as a placeholder, you may first have to upload your application to Google Play Console, I'd guess at least into an internal testing track (requires a review). The scenario appears similar to in-app products not being visible unless having the app published.
For reference: https://play.google.com/console/about/internal-testing
Related
The below error is encountered when an app APK update is pushed to google play developer console. The have rejected the app update because of this. The app does not send out any information and is completely offline.
It uses google location API for getting and storing approximate location (stored only in device and not transmitted anywhere outside)
It uses a send log functionality for any crashes manually. User is given a choice to send an email and the crash log is attached with the email to developer. This is also not automatic and is controlled by user.
No data is sent from the app to external APIs or systems and the app is completely offline.
Can anyone point me in the right direction on what needs to be done so that the google data safety won't trigger this issue?
If you have already submitted Data Safety Form. I suggest to review your Data safety Form & Try updating answers for every cases mentioned in the issue reported by Google Play Policies
If you are passing data to any analytics platform from your app using their APIs.
Select Yes in this section:
If your app is offline & you are collecting any data from User,
Make sure you tick all the details collected by you in app from the User.
For Example: If you are colecting/sharing Name,Age & Email Address of your User. You need to tick mark all the checkboxes shown under Data Safety Form > Data Types > Personal Details Section
Hope it will help you!
I'm using Firebase Phone Auth to identify the user, the sms is received but I need to change the SMS sender name (Not the template) in mobile, is there anyway to change the sender name or the messaging service?
The sms is received like:
Phonecode
106109 is your verification code for MyAppName
what I need is:
MyAppName
106109 is your verification code MyAppName
As for now, We simply can't change the template nor sender name/number. We can only see in which template user will get SMS.
Additional Info:
Until your app gets live, your format will be *%LOGIN_CODE% is your verification code.
After upload app on google-play-store, format will be %LOGIN_CODE% is your verification code for %APP_NAME%.
the app name displayed in the SMS can't be changed manually (neither can you modify the template).
The app name is retrieved from the play store/app store once the app is live in the store.
This wasn't 100% clear to me after reading Rumit's answer.
here is the response from the firebase support about this matter:
The SMS messages draw the app's name from the App Store / Play Store.
Once an app is published, the correct name should start appearing.
There may be a small delay (a week or two at most). So, this is an
expected behavior if you published the app a few days ago.
But if the app is published and you are still not able to see the
app's name, it's possible that someone else has registered the user's
App's Application ID (Usually the same as the Package Name - for
instance, com.example.myapp) on the Play Store with a different name
(which is the name shown as the %APP_NAME% value on the SMS template).
Firebase pulls %APP_NAME% from the Play Store based on this
Application ID.
Since Application IDs in Google Play must be unique, you can't use an
ID that is already taken by someone else.
To fix this, you can change your Application ID and register the new
one in the package name field in the Firebase Console.
This is the response I got from Firebase support team as of March 19, 2021.
hi am also using firebase messages for send otp on mobile numbers. I also want to show my app name in text message but there is a firebase document that you can't change body of message in firebase. You can select the language from the Firebase console, however this is a per project setting and you can't modify the templates.
Go to Firebase>Authentication>Templates>Password Reset> Put %APP_NAME%
I have added firebase phone authentication to my android app.
It worked well, but the the app name is not included in the sms verification message as it appears in the sms template in the firebase console:
(%LOGIN_CODE% is your verification code for %APP_NAME%.).
The message I receive looks like:
(%LOGIN_CODE% is your verification code)
I have this problem for both debug and release versions of my app.
So, how to add the app name to this message.
I believe they get the app name corresponding to your Android package name from the Google Play Store. So until your app is on the Play Store, they won't be able to show the app name in the SMS message.
It was by Firebase. Maybe they were testing this new feature.
Thanks to all.
I'm making a Cordova 4.0 Android app that will be sold in Google Play, and I would like to prevent illegal use of it (for example preventing someone to extract the APK from the system and re-distributing it).
One theoretical way of doing this would be by checking that when the app is launched by the user, he did actually download it from Google Play (versus being it sideloaded). I'm not even sure if this is possible or if there's an alternate way of doing something like this.
One way that works in other cases is to use require some sort of login when accessing the app, but in this case I can't do that. Any advice would be appreciated!
Google offers a way to implement validation / licensing:
http://developer.android.com/google/play/licensing/index.html
Take a look if this is what you need!
One suggestion would be for those apps which are get connected to a server to fetch some data.
App verification token
Generate an encoded 64-bit long token and store on both device & server as well. This will be a unique token per app
Whenever app tries to connect to server, it sends the device token details. Server needs to verify it before fulfilling its request.
On specific events, server can generate a new token for a device.
Same way, device token can be mapped to a user or an app on the server side.
Token could carry some app related information, for instance.
first 4 or 6 digits represent app size
second block of digits could represent user specific or device or some other details
Or another block could hold app contents modification date
In case of any change, server could verify the app size, last app contents modification dates, etc.
Generally it is recommended to uglify, obfuscate and minimize app resources before submission.
You can use the package manager class to determine the source of an app (only google or amazon currently detected)
You can similarly use google analytics which gives same information.
This is pretty neat since Android stores the source of every package, allowing apps to know where they came from, to prevent piracy and sideloading.
Great if you always publish to google or amazon. Useless if you sideload your app.
We run a web application with a Java Script- and an Android front end. We use Google IDs with OAuth for authentication. Everything worked find until today authenticaiton suddenly stopped working. There was no new software version deployed or any operational changes. Now, when a user tries to log on via the browser application, Google issues
401. That’s an error.
Error: disabled_client
The OAuth client was disabled.
Request Details
scope=openid profile email
response_type=code
redirect_uri=https://***.net/signin-google
state=***
client_id=******.apps.googleusercontent.com
That’s all we know.
When logging in via Android App, authentication fails too, GoogleAuthUtil.getToken raises an unspecific exception.
I couldn't find much information when googling for this error message. Some say, one should try to change the application name in the consent screen. This didn't help in my case.
In developer console I noticed, that I cannot create a new Client ID for this project. I always get a technical error ("Server Error Whoops! Our Bad.") with a tracking number. Seems to be related.
I have a total of 7 Client IDs registered for this project and 3 public API access keys.
Is it possible, that Google explicitly disabled our project? That's how it actually feels. For what reason? I didn't get any notification. Our product is an application for access control, nothing special or illegal here.
Any ideas? This is a production environment, so for us the problem is absolutely severe.
Thanks for any help!
In the meantime we found out, that our Android App was removed from the Play Store and we got following notification:
This is a notification that your application, <...>, with package ID <...>, has been removed from the Google Play Store.
REASON FOR REMOVAL: Violation of the Personal and Confidential Information provision of the Content Policy.Please refer to the policy help article for more information.
We don't allow unauthorized publishing or disclosure of people's private and confidential information, such as credit card numbers, government identification numbers, driver's and other license numbers, non-public contacts, or any other information that is not publicly accessible.
We are very careful about the data inside our application and we take privacy and security extremely seriously as the hole app is about security and our customer's trust is absolutely essential. However, we recently introduced a feature that periodically sends the LogCat output to our servers for debugging reasons. Our app is in an early preview state which we make clear in the app description. It's used by a very limited number of people as it can only be used with a special piece of hardware we provide. The LogCat output only contains data from the app itself, no confident data of any kind. We published a couple of related apps and not all have the feature even included but all were suspended. However, we guess that this feature is the reason for removing.
Edit
In the meantime we wrote an appeal via the form provided on Google Play. The ban was removed from Google Play and the related Google OAuth Client shortly after.
We were informed, that our App collects names of running tasks and sends them to our servers, which is not the case. However, we used the crittercism library and the crittercism docs suggest to require the "GET_TASKS" permission, what we did. I don't think, that Crittercism is considered as dangerous as it's used by lots of applications. But maybe the combination of a Logging Service on the one hand and the GET_TASKS permission on the other hand, although not dangerous in our case, triggered some automatic rules at Google.
To fix this we simply removed Crittercism and all related permission requirements as it wasn't very useful for us anyways.