How to disable Firebase Phone Auth Android auto-sign-in (onVerificationCompleted callback)

Question

Is there a way to disable Android "instant verification" (automatically signing in) with Firebase Phone Auth? There is a way to disable "auto-retrieval" by setting the timeout of verifyPhoneNumber to 0 (Reference: https://firebase.google.com/docs/reference/android/com/google/firebase/auth/PhoneAuthProvider.html). However I cannot find a documented way to disable instant verification.

I am asking because of a potential security issue: removing the SIM card from a device still auto-signs in that user! In other words, a user using another person's old device could be able to sign in using their old phone number. Here are the reproduction steps:

• Be on Android, on a device with a functional SIM card
• Sign in using the number associated with that SIM card
• This triggers auto-sign-in
• Sign out
• Turn device off and remove SIM card
• Turn device back on and attempt signing in with that same number

Observed behavior: The user is auto-signed in, despite not having the appropriate SIM card

Expected behavior: If the user's device does not have a SIM card that is associated with the entered phone number, they are not auto-signed-in and an SMS text message is sent to that number.

Answer 1

Update, 11.5.09 should have reached almost all users' devices. Instant validation will be stopped after a SIM card change. And you can also use this trick for manual testing purpose.

---

In an upcoming Google Play services v11.5 release scheduled for late Q3, SIM card change will be auto-detected which will stop instant validation from working. The new release will be auto-pushed to users' devices and no SDK change is required.

To get the best UX and opt-in rate, it's better to wait for the Play services update rather than adding the scary runtime permission yourself (to read and compare phone number). Thanks for your patience!

Answer 2

Unfortunately it seems that there isn't a way to disable Instant Verification at the moment.

After asking the devs to add this feature (actually for a different reason), I was replied that it will be added to the feature request.

Perhaps you should add a comment there too, specifying your security findings. Maybe it will speed up the process of adding this feature :)

Answer 3

Not sure when this feature was added, but you can actually add a fake phone number and expected verification code which will override the auto verification:

Answer 4

you can get the used phone number at the device by this :

TelephonyManager tMgr = (TelephonyManager)mAppContext.getSystemService(Context.TELEPHONY_SERVICE);
String mPhoneNumber = tMgr.getLine1Number();

and add required Permission:

<uses-permission android:name="android.permission.READ_PHONE_STATE"/> 

get the phone number from FirebaseAuth like this :

String number = FirebaseAuth.getInstance().getCurrentUser().getPhoneNumber();

compare between them if it's ok carry on else send the SMS using twilio or some services like that

Answer 5

No need to change SIM Card!!!!

In order to get OTP/Code multiple time for testing just follow this code in oncreate of your activity you will get code now uninstall the app and verify again you will get a new code it will not instant validate.

if you still not able to do that i will share my full activity code!!

 PhoneAuthProvider.getInstance().verifyPhoneNumber(
            phoneNumber,        // Phone number to verify
            60,                 // Timeout duration
            TimeUnit.SECONDS,   // Unit of timeout
            this,               // Activity (for callback binding)
            mCallbacks);        // OnVerificationStateChangedCallbacks
    // [END start_phone_auth]

    mVerificationInProgress = true;