firebase-auth-ktx: Users being erroneously signed out since 23.2.1

Question

firebase-auth-ktx: Users being erroneously signed out since 23.2.1

Closed this issue 4 months ago · 15 comments

dlgrech commented 4 months ago

[READ] Step 1: Are you in the right place?

Yep - this is about a specific firebase-auth library version

[REQUIRED] Step 2: Describe your environment

Android Studio version: Narwhal 2025.1.1 RC 1
Firebase Component: firebase-auth-ktx (Database, Firestore, Storage, Functions, etc)
Component version: com.google.firebase:firebase-auth-ktx:23.2.1

[REQUIRED] Step 3: Users being erroneously signed out since 23.2.1

Steps to reproduce:

We're getting a deluge of reports of users being signed out (that is, their firebase auth currentUser becoming null despite recently authenticating).

I can see in adb logs that my FirebaseAuth.AuthStateListener is firing with a null currentUser property.

I also see this being logged by the auth SDK internally:

D FirebaseAuth: Notifying id token listeners about a sign-out event.
D FirebaseAuth: Notifying auth state listeners about a sign-out event.

I was previously using 23.2.0 with no problems. I see in the changelog for 23.2.1 that this version added "Enhanced security by adding encryption to Firebase Authentication data inside Android persistent storage.".

I suspect this encryption/decryption is failing for some users and reporting that the user is no longer logged in.

I have tried downgrading the library but this will seem to force all existing users to log in again (presumably because the newer library version was storing things in an encrypted fashion that older versions cannot decrypt), so i'm stuck here with no recourse for these users.

Relevant Code:

I'm detecting this situation with a FirebaseAuth.AuthStateListener

Firebase.auth.addAuthStateListener {
  val hasAuthToken = auth.currentUser != null
  // Log here..
}

Answer 1 · 2025-07-07T19:26:40.000Z

I found a few problems with this issue:

I couldn't figure out how to label this issue, so I've labeled it for a human to triage. Hang tight.
This issue does not seem to follow the issue template. Make sure you provide all the required information.

Answer 2 · 2025-07-08T16:19:24.000Z

@dlgrech same situation here.

I have noticed that many users reporting this issue have just changed to a new device.

Could it be related to the user preferences backup migrated from the previous device not working on the new device?

Answer 3 · 2025-07-08T20:44:57.000Z

Could certainly be! I've disabled backups in our latest version, and also trying to clear all shared_pref files on logout too.

Hopefully it helps stop users running into it, but it'd be great to get some recourse in the SDK itself as well :D

Answer 4 · 2025-07-09T13:40:19.000Z

Hi @dlgrech, thank you for reaching out. I tried reproducing the issue, however, I did not encounter the behavior where the user is signed out.

By any chance, where you able to reproduce the issue? Or have you observed if there's an action that's causing this? Could you share what method are you using?

Based on our release notes, I suspect that this could be due to the enhanced security on the data inside Android persistent storage.

Answer 5 · 2025-07-09T18:23:36.000Z

Hi @lehcar09!

I'm not able to organically reproduce it, but the way i've been simulating it is to:

Build an app with v23.2.1 of the firebase-auth-ktx library, and log in (im using phone auth, but I suspect any auth method would do)
Verify a com.google.firebase.auth.api.Store.** shared_prefs file is created with an ENCRYPTED: value
Build the app with v23.2.0 of the firebase-auth-ktx library and start the app
Observe that a Firebase.auth.addAuthStateListener {} receives a callback with currentUser == null (presumably because reading the stored encrypted token values can not be decrypted).

Answer 6 · 2025-07-10T05:12:46.000Z

@dlgrech @lehcar09 I bring some more data pointing to encrypted prefs being the culprit.

Users contact us via customer support because every time they enter the app (cold start), they have to sign in again, or if they were just anonymous users, they have lost all their favorites/user data. (Lost forever, anonymous users can't be linked again with their data stored in Firebase using their UID)
We have verified that 100% users reporting the problem have just changed to a new device.
If they delete the app and reinstall it, the login issue persists
If they go to "Settings > Applications > our application > Storage and Cache" and delete the memory and cache, the issue disappears, and they have no more login problems. (The login state is persisted successfully)

What I guess is happening is the Encrypted Preferences containing the login state are backed up in the old device and restored in the new device, but the App instance in the new device can't read them, probably because the encryption key is derived or stored somehow in the old device, and the new device derives a different key or simply is not part of the restored data.

As a result, every time they open the app (cold start), a new anonymous Firebase user is created, and from the user's point of view, "all the data seems to have disappeared."

While we wait for a fix from the Firebase team, we have decided to disable backups, just in case more devs want to know how:

In your AndroidManifest.xml add these lines

android:allowBackup="false"
android:fullBackupContent="false"
android:dataExtractionRules="@xml/data_extraction_rules"

In the xml/data_extracion_rules.xml

<data-extraction-rules>
    <cloud-backup include="false" />
    <device-transfer include="false" />
</data-extraction-rules>

Answer 7 · 2025-07-14T17:05:37.000Z

Thank you for those details @dlgrech and @pamartineza. I was able to replicate the behavior. Per checking, this was indeed related to the security enhancement that was released in the version 23.2.1.

Let me raise this to our engineers to see what we can do here. Thanks!

Answer 8 · 2025-07-15T10:40:31.000Z

I have the same problem. Fortunately, my app update has not yet been released to users, so I will revert the Firebase library update on my end until the issue is resolved.

Answer 9 · 2025-07-17T06:29:47.000Z

Thanks for the details @dlgrech and @pamartineza.

Firebase Auth SDK v23.2.1 encrypts firebase-auth data in shared-preferences. When encrypted firebase-auth data is restored to a new device from a cross-device backup, the library is unable to decrypt the persistent storage data, causing a regression in auth-state persistence behavior.

We are working on the fix to resolve this issue.

Meanwhile, the following workarounds are available to address this issue:

1. Downgrade the SDK Version:

Reverting to a previous version of the SDK can resolve the issue, as the encryption behavior is not present in earlier releases.

How: Downgrade the Firebase Auth dependency to v23.2.0 or lower in your app's build.gradle file. This will restore the previous authentication persistence behavior in the older versions for Firebase Auth SDK.

Note: If an existing user authenticated with v23.2.1 updates to an app version with a downgraded SDK, they will be signed out on the first launch. After signing in again, the expected auth-state persistence behavior will be restored.

2. Instruct Users to Clear App Data:

How: If feasible, affected users can manually clear the app's data, effectively clearing out shared-preferences data. While the exact path may vary by Android device, the option is generally located in Settings > Apps > [App Name] > Storage & cache.

3. Disable app-backup:

Prevent cross-device backup, by disabling it.

How: If your app uses Android auto-backup, you can follow the steps mentioned in https://developer.android.com/identity/data/autobackup to disable app backup temporarily.

Answer 10 · 2025-07-17T08:43:27.000Z

@ayanvishwaka I wouldn’t recommend downgrading if the app uses the anonymous sign-in feature.

The issue only arises when they switch to a new device—a relatively rare scenario.

On the other hand, downgrading would impact 100% of users and cause all anonymous users to lose their data.

Answer 11 · 2025-07-23T04:16:52.000Z

This regression has been resolved in Firebase Auth v24.0.0. Updating the Firebase Auth library from v23.2.1 to v24.0.0 should fix the issue.

Existing users who are already signed in v23.2.1 will remain authenticated after the upgrade to v24.0.0. At the same time, the update addresses the problem for users who migrate their app data to a new device via cross-device backup.

Note: For users of Kotlin extensions (firebase-auth-ktx), starting with v24.0.0, the firebase-auth-ktx library is no longer released as a separate artifact. Its functionality had been merged into the main firebase-auth module.

For migration instructions, refer to the official guide: How to migrate to use KTX APIs from the main modules.

CC: @pamartineza @dlgrech @Auuufff

Answer 12 · 2025-07-23T04:27:51.000Z

@ayanvishwaka awesome thank you!

Just wanted to check on the v23.2.0 -> v24.0.0 upgrade path (ie //not// from v23.2.1).

Just trying it out quickly it seems like I was logged out after first upgrading, which would cause issues for users upgrading from older builds.

Answer 13 · 2025-07-23T04:57:29.000Z

Hi @dlgrech,

By design, authentication state should also persist on v23.2.0 -> v24.0.0 upgrade path.

To confirm this, I installed an app using v23.2.0, signed in with a email-password/anonymous provider, and then upgraded to v24.0.0. After the upgrade, the authentication state was preserved as expected on the first upgrade.

Answer 14 · 2025-07-23T18:21:07.000Z

@ayanvishwaka @dlgrech I have conducted various tests from different upgrade paths, and all seems good. No more login issues after upgrading to v24.0.0

Thank you very much 👍

Answer 15 · 2025-07-24T13:25:38.000Z

Hey folks! the Firebase Auth version 24.0.0 has been release last July 21, 2025. I'll be closing this issue now. Thanks!