[SMS] Add functionality for SMS Retriever API #170
Ce3apyc opened this issue · 11 comments
Description
SMS Retriever API doesn't work with APK Signature Scheme v3.1
Error messages
SMSRetriever starts with no error message, with ASuccess=True, when SMS comes, nothing happens.
Please indicate
All android versions
Steps To Reproduce
Install your app from Google Play store.
Hi! I'm writting you considering your post here https://githubissues.com/DelphiWorlds/Kastri/170. Sorry for my bad English, I'm also new to github, so please don't scold me too much if I'm asking a question in the wrong place.
I have implemented your example in my app, and it works just fine if I'm signing apk by myself, but when I install my app from Google Play store, it doesn't work. I have compared signature information (given from apksigner verify -print-certs -v package.apk command) from both cases and it turned out, that the main difference is that Google is now using APK Signature Scheme v3.1. Could you consider to update SMSRetrieverTest.zip and/or AppHashGen.zip to fix this issue?
Please indicate which app on Play Store you are referring to (if it is public, and available in Australia), and indicate what you mean by "doesn't work". Also, please provide links and/or documentation regarding "Google is now using APK Signature Scheme v3.1."
The app is called БСПТ. I have just made it available in Australia. "doesn't work" means SMSRetriever doesn't catch SMS containing hash created by your tool AppHashGen.zip (SMSRetriever.OnSMSResult is not called at all).
Sorry, but my judgements regarding "Google is now using APK Signature Scheme v3.1." are only based on comparison mentioned earlier of apk signature information given from apksigner verify -print-certs -v package.apk command. There is a line there "Verified using v3.1 scheme (APK Signature Scheme v3.1): true" and the value "true" only comes with newly uploaded or updated to Google Play store apps. I only managed to find this link.
Forgot to mention that Google says: If you are already using the apksigner tool to display the certificate lineage information, you must use the tool from Android SDK ver. 33.0.1 and above.
The additional info that might help: There is an untilty called APK-Info according to this it should be able to verify signature of the apk by using APK Signature Scheme v3, but it can not, and it gives this error: "Unknown additional attribute: ID 0x559f8b02"
I've updated the original SMS Retriever test app to add code that can obtain the app hash within itself. You can deploy a version of your app for internal testing on Play Store, install it from there and invoke the code to determine the app hash. You could remove that code if you feel you need to before publishing the version you intend to release.
The code to call (as per code in Unit1 of the attached demo) is: SMSRetriever.GetApplicationHash
Thank you. Does it mean that your tool AppHashGen.zip doesn't give the right hash any more? And the only way to get the right hash is within the app?
Is it save to use the latest versions of play-services-auth jars?
Does it mean that your tool AppHashGen.zip doesn't give the right hash any more?
It appears it does not.
Is it save to use the latest versions of play-services-auth jars?
The latest version of play-services-auth-base (v18.0.11) has a dependency on play-services-basement v18.2.0, and Delphi uses v18.1.0, so possibly not, but that does not mean it will not work
How do you compute hash within the app?
How do you compute hash within the app?
As per my earlier comment:
The code to call (as per code in Unit1 of the attached demo) is:
SMSRetriever.GetApplicationHash
The code that computes the hash is in the DW.Android.AppSignatureHelper unit, included with the project
After opening this demo project closing the studio causes this error:
I doubt this error is related to the project itself. It does not have any special components in it, or anything
I've updated the original SMS Retriever test app to add code that can obtain the app hash within itself. You can deploy a version of your app for internal testing on Play Store, install it from there and invoke the code to determine the app hash. You could remove that code if you feel you need to before publishing the version you intend to release.
The code to call (as per code in Unit1 of the attached demo) is:
SMSRetriever.GetApplicationHash
That helped. But hasn’t Google really provided a more convenient way for developers to obtain the application hash? Isn't that weird?