Google Play Services prepares to let the Autofill Service automatically pull SMS verification codes
Setting up two-factor authentication for your online accounts is a necessity if you care at all about the security of your data. Most users who have 2FA enabled use on-device prompts, authenticator apps, or verification codes sent via SMS. Although the former two are considered more secure than SMS code verification, Google’s research shows that SMS verification for Google accounts “helped block 100% of automated bots, 96% of bulk phishing attacks, and 76% of targeted attacks.” The benefits are clear, but the reason many people still don’t use 2FA, even via SMS, is because they find it inconvenient. Today, Google rolled out Google Play Services version 18.7.13 beta, and it hints at a new way for verification codes to be automatically retrieved from text messages: via Android’s built-in Autofill Service.
Google Play Services 18.7.13 Beta Changes
There are currently a few ways to skip having to manually open your messaging app to copy the verification code. First, the messaging app (like Google’s Messages) may automatically detect and present the code in the notification for a new text message. Second, the app needing the code can use the SMS Retriever API, an API that is a part of Google Play Services, to automatically read the SMS code. Third, the app that needs the code can create a PendingIntent of the type createAppSpecificSmsToken, available since Android 8.0 Oreo. Lastly, the app can request the READ_SMS permission to read incoming text messages for the verification code, however, Google recently cracked down on apps that use SMS permissions like this.
Out of the 4 methods mentioned in the last paragraph, the recommended method to retrieve the SMS code is the SMS Retriever API since Google Play Services is nearly ubiquitous. Sadly, many app developers still don’t take advantage of this API. The reason, according to XDA Recognized Developer Quinny899 who works on an app that utilizes this API, is because the required format of the text message that’s sent to users isn’t ideal. The text message body must start with <#> and end with a hash that’s based on the signature of the app. This hash might confuse users into thinking its actually the SMS code in question.
Google wants users to adopt better security practices, which means they want to make two-factor authentication more palatable to users. In order to do so, it seems that they’ll be updating the Google Autofill Service to automatically retrieve verification codes from text messages. This will bring automatic SMS code retrieval to users whose default messaging apps don’t already retrieve the code automatically and whose apps don’t use the SMS Retriever API.
<string name="sms_code_autofill_consent_message">You can change the settings in Settings → Google → Verification code autofill.</string>\n<string name="sms_code_autofill_consent_title">Allow %s to automatically enter verification codes from text messages?</string>\n<string name="sms_code_autofill_settings_title">SMS Code Autofill</string>\n<string name="sms_code_autofill_settings_toggle_description">Autofill must be enabled to automatically fill SMS codes. You can enable autofill in Settings → System → Languages & Input → Advanced → Autofill service.</string>\n<string name="sms_code_autofill_settings_toggle_primary">Autofill SMS Codes</string>\n<string name="sms_code_autofill_settings_toggle_secondary">Allow autofill service to access SMS messages to retrieve verification code</string>\n<string name="sms_code_pref_key_autofill_permission_state">autofill_permission_state</string>\n<string name="sms_code_pref_key_dummy_for_description">dummy_for_description</string>
After enabling the Google Autofill Service, available on any Android 8.0+ device with Google Play Services installed, the user will be able to enable “SMS Code Auto-fill,” as shown below. This activity is currently unexported but can be accessed by manually launching the
I don’t use SMS-based 2FA for any of my accounts nor do I use Google’s Autofill Service (I’m a KeePass fan), so I was unable to test it myself. However, the feature seems pretty straightforward: When you receive a code via SMS, the Autofill Service will offer to input the code automatically just like any password you’ve saved. While this is a nice feature to have for now, we’ll be able to access websites and apps without needing a password in the near future thanks to Android’s recent FIDO2 certification.
You can download the latest version of Play Services on APKMirror, or you can wait for it to roll out gradually over the coming weeks.
Thanks to PNF Software for providing us a license to use JEB Decompiler, a professional-grade reverse engineering tool for Android applications.