Feature request: don't require SMS permission for verification


#1

It can be done through a Google Play Services call: https://developers.google.com/identity/sms-retriever/overview

I don’t want Monzo to be able to read all my SMS just for a one time verification.


(Marcus Nailor) #2

Hey there :slight_smile: So whether or not this will have any adverse effects along the lines, I have no idea…

But from Android 6.0 onwards you should be able to control per-app permissions on a very fine level :smiley:

You may have seen the option to do so already - But if you head to the ‘App Info’ of Monzo :monzo: you’ll be able to slide access to SMS off :slight_smile:

(screenshot below)

Hope this helps! :slight_smile:

Maybe @emmag can confirm what Monzo uses SMS for? :slight_smile:


#3

When verified using SMS, I got a dialog asking if I wanted to grant the SMS permission. I’m guessing you must be using Android 5.

Maybe @emmag can confirm what Monzo uses SMS for?

Reading the verification number


(Marcus Nailor) #4

I can’t recall whether that feature came with Lollipop or Marshmallow :slight_smile: But certainly 5.0/6.0 onwards

Sorry yeah I know :joy: I meant if there was anything else which might not like having SMS be disabled :wink:


#5

I can’t recall whether that feature came with Lollipop or Marshmallow :slight_smile: But certainly 5.0/6.0 onwards

It was Marshmallow


#6

Thanks! I’m on Android O preview and I did deny the permission request :smile: (no issue whatsoever, in case you were wondering) But auto filling is still a cool feature and it turns out in that case we can have the cake and eat it.

There is an API for that. If that also makes the code for extracting the tokens from SMS simpler and removes a dependency on some library why I’d say why not!


(Kavi Dhokia) #7

So this was a feature I added to the app during one of our monthly Monzo Time :tm: days (we really need a better name for that as every day is technically Monzo time :sweat_smile: – suggestions welcome!).
Basically, on the Android team, we have a day a month where we get to work on whatever we want, this is often a proof of concept using some cool new things but sometimes it’s just nice improvements to the app which we wouldn’t normally have time to do otherwise, such as this one.

Anyways, the reason the SMS code verification doesn’t use the new Play Services functionality is that in order to use the new Play Services SMS retriever API, we would have required a change to the backend as the SMS has to be delivered in a very specific format.
This wasn’t particularly feasible given that the SMS code is used on iOS as well, and also because I needed to get it done in a day! :hourglass_flowing_sand:

So the way it works is that it uses the SMS permission to read the code automatically as it is received.
However it only works on Android 6.0+. the feature is not available on Android 5.x as it doesn’t have runtime permissions and we didn’t want to request a blanket SMS permission just for verifying an SMS code one time during signup.

Rest assured that we don’t use the permission for anything other than automatically verifying the SMS code during signup. Feel free to revoke the permission afterwards if you want, it won’t affect the rest of the app in any way. :v:


#8

Thanks for the details! It’s nice to learn that it you tried it already :slight_smile: I suppose it’s possible to transmit the expected SMS format along with the verification request to the server but… :hourglass_flowing_sand: cost vs benefits right?

Also I find it very thoughtful to not force the permission on 5.x, kudos on that!


(system) #9

This topic was automatically closed 180 days after the last reply. New replies are no longer allowed.