Android O will Improve SMS Authentication for Apps

We may earn a commission for purchases made using our links.

Each new version of Android brings some major changes to the platform, but there are also a ton of minor changes that aren’t nearly as publicized. One such change coming to Android O is an improvement in the way SMS authentication is done by applications. Android O introduces a dedicated API that applications can use to retrieve verification codes sent through SMS, so applications will no longer have to request the SMS permission.

SMS Authentication in Android O

In order to appreciate this subtle change, let’s recap how applications use SMS for authentication prior to Android O. Certain applications (primarily messaging ones) ask you to verify your phone number by entering a verification code. You can either enter this time-sensitive code manually or grant the application the permission to read your SMS messages so it can automatically find and enter the code for you.

The problem with this solution is two-fold. For starters, many applications never really need to read your SMS messages outside of this context, so it seems unnecessary to grant them permission to read your entire SMS history. Second, these one-time SMS verification codes add needless clutter to your messaging inbox.

By introducing an API, Android O will solve both of these issues. Applications can now indicate to the system that they are expecting to receive an SMS verification code shortly. They do this by creating a PendingIntent of the type createAppSpecificSmsToken:

Create a single use app specific incoming SMS request for the the calling package. This method returns a token that if included in a subsequent incoming SMS message will cause intent to be sent with the SMS data. The token is only good for one use, after an SMS has been received containing the token all subsequent SMS messages with the token will be routed as normal. An app can only have one request at a time, if the app already has a request pending it will be replaced with a new request.

When the PendingIntent is created, Android will start looking at any incoming SMS for a particular 11 character long token. When the SMS containing the token is received, this method sends the token directly to the application without the application ever reading an SMS. The SMS that contains the token is never sent into the inbox while this PendingIntent is active. Only once Android has sent the Intent to the requesting app will subsequent SMS messages be routed back into the user’s inbox.

Although this is a minor quality-of-life change that will mostly only be appreciated by developers (one less permission = one less headache in potential reviews), it’s great to see Google continue to add features such as this.