Cordova plugin to receive verification SMS in Android using the SMS Retriever API.
This plugin requires the Google Play Services 15.0.0 or newer in order to work properly.
Minimum supported SDK version 21.
<platform name="android">
...
<preference name="android-minSdkVersion" value="21" />
...
</platform>
- Install stable from NPM:
cordova plugin add cordova-plugin-sms-retriever
- Install master from GitHub:
cordova plugin add https://github.com/andreszs/cordova-plugin-sms-retriever
- Create your project and Android app in Firebase Console
- Download the google-services.json file into your platforms/android folder.
- Make sure to sign your build with a keystore file.
npm i awesome-cordova-plugins-sms-retriever-api
npm i @awesome-cordova-plugins/sms-retriever-api
https://github.com/MaximBelov/cordova-plugin-sms-retriever-lab
Opens a dialog to select your mobile numbers saved in phone and returns selected phone number.
var onSuccess = function (strSuccess) {
console.log(strSuccess);
};
var onFail = function (strError) {
console.log(strError);
};
cordova.plugins.SMSRetriever.getPhoneNumber(onSuccess, onFail);
Start listening for a single incoming verification SMS for 5 minutes.
cordova.plugins.SMSRetriever.startWatch(successCallback, errorCallback);
- When a valid SMS is intercepted, the onSMSArrive event is fired and SMS watching is stopped.
- When the 5 minutes timeout is reached, SMS watching is stopped and the failureCallback returns TIMEOUT.
- SMS_RETRIEVER_STARTED: Retriever started and waiting for incoming SMS.
- SMS_RETRIEVER_ALREADY_STARTED: Your 5 minutes for SMS retrieval are already running and won’t be reset by calling this method again!.
- SMS_RETRIEVER_DONE: Second callback, triggered when an SMS was intercepted.
When the SMS is returned, the retriever API is automatically stopped and no further messages will be intercepted until you start a new one. This is by API design, not a plugin or a demo app restriction.
var onSuccess = function (strSuccess) {
console.log(strSuccess);
};
var onFail = function (strError) {
console.log(strError);
};
cordova.plugins.SMSRetriever.startWatch(onSuccess, onFail);
Stops listening for a single incoming verification SMS
- SMS_RETRIEVER_DONE
var onSuccess = function (strSuccess) {
console.log(strSuccess);
};
var onFail = function (strError) {
console.log(strError);
};
cordova.plugins.SMSRetriever.stopWatch(onSuccess, onFail);
Get the 11-character hash string for your app using the AppSignatureHelper class. This string must be appended to the SMS received in order for the API to read this message.
cordova.plugins.SMSRetriever.getHashString(successCallback, errorCallback);
- The hash will be different from debug and release builds, since they have different signatures.
- Play Store now re-signs signed APKs on upload. This will most certainly change the hash string.
- Calling this method with an active SMS retriever running will void the retriever and the SMS wont be incercepted.
- Google advices against dynamically retrieving your hash code before sending the SMS:
Do not use hash strings dynamically computed on the client in your verification messages.
Therefore, do not invoke this method from the published app. The hash is the same for all users, and bound to your keystore signing keys, so you can get it once and never again call this method.
- The 11-digit hash string for sending validation SMS.
var onSuccess = function (strHash) {
console.log(strHash);
};
var onFail = function (strError) {
console.log(strError);
};
cordova.plugins.SMSRetriever.getHashString(onSuccess , onFail);
Event fired when a valid verification SMS with the hash string has arrived. You need call startWatch() first.
- If the SMS is not retrieved in your debug build, try the signed production APK.
document.addEventListener('onSMSArrive', function(args) {
// SMS retrieved, get its contents
console.info(args.message);
// To Do: Extract the received one-time code and verify it on your server
});
The verification SMS message you send to the user must:
- Be no longer than 140 bytes
- Begin with the prefix <#>
- Contain a one-time code that the client sends back to your server to complete the verification flow
- End with the 11-character hash string that identifies your app
- Starting from plugin 2.0.0, the <#> prefix is no longer required by the plugin.
- Starting from an unknown Play Services version, the <#> is no longer required in the received SMS.
Otherwise, the contents of the verification message can be whatever you choose. It is helpful to create a message from which you can easily extract the one-time code later on. For example, a valid verification message might look like the following:
<#> AZC123 is your code for andreszsogon.com SMS Retriever Demo App. hi5c8+bkQy0
ℹ️ It is a good practice to prepend the verification code to the beginning of the SMS, in case the retriever fails, the user can see the code immediately from the notification bar.
- Compiled APK and reference including testing procedure instructions
- Source code for www folder
The plugin will work in your emulator as long as you are using a Google Play ABI or System Image, instead of the regular Google APIs ones. This is because these images include the Google Play Store and Google Play Services.
When the app is sent to the background, as long as Android has not unloaded it to recover memory, SMS watching will remain active and working correctly for 5 minutes.
No, the plugin does not require any permission because it relies on the SMS Retriever API.
In the emulator you can test the plugin using the unsigned debug APK. Real devices require the production APK to work.
Google advices against computing the hash string in the client for security concerns. Get the hash string in advance and then do not call the get hash method again in the final production app.
The <#> prefix formerly required to retrieve the SMS was silently removed in an unknown Play Services version and no longer appears in the SMS Retriever API docs.
- Merged PR#19
- Updated package.json as per npm suggestions
- Merged PR#18
- Removed the nbproject folder
- Restored support for SDK versions: minimum 21, target 31.
- Tested on Android 5.1, 6.0, 13, 14.
- Added support autofill for Android14
- BREAKING CHANGES: SDK versions: minimum - 24 and target - 33.
- Added method stopWatch
- Added method getPhoneNumber
- Updated README with important details about SMS generation
⚠️ Methods moved from the global window to the cordova.plugins object- Improved all methods return values to make them easier to parse
- Removed the requirement include the <#> prefix in the SMS
- Improved stability and error checking
- Updated demo app, now available in Play Store