Twilio™ Verification SDK: Android app SMS permissions & phone verification has never been easier

We’re excited to announce the new Twilio Verification SDK for Android. This SDK lets developers get the most from a new Google API that simplifies SMS permissions used for verifying phone numbers. Now, you can build rock-solid verification without worrying about the ins-and-outs of SMS delivery.

Application security is a constant balance between securing accounts and ensuring a convenient user experience. Attackers can exploit applications that verify accounts solely with an email address. To combat this, developers are turning to utilizing phone numbers for initial sign ups, instead of the traditional username/password combination.

To verify a phone number and prove the user is who they say they are, apps send out a code via SMS and require the user enter the code back into the application.
Having to receive, read, and re-enter an SMS code into an application can be cumbersome. To address this, Google allows developers to request permission to automatically read the SMS message and instantly validate a user’s access to the associated phone number.

However, once accepted, this permission persists for the entire time the application is on your device, and gives the application visibility to all your SMS messages. Security researchers and users frequently complain about this excessive access to personal data. When you take into account how many online banks, email providers, chat services, and other business apps are also using SMS-based two-factor authentication, it’s concerning to think that Android users are accustomed to indiscriminately accepting app permissions and potentially opening themselves up to serious malware attacks.

Google designs a safer approach

In response to this, Google has developed an automatic validation method that does not require broad or long-term access to a user’s SMS messages. The newly released Google SMS Retriever API allows applications to access SMS messages during number verification without permitting long term SMS access. It does this by allowing apps registered with Google Play Services to indicate what type of SMS they’re interested in. Google passes onto the application any SMS matching that description exactly, so a given application only has access to the SMS messages it needs for user verification.

Partnering With Twilio For Maximum Effect

Delivering SMS messages across the globe isn’t easy. In many countries, local telecom carriers can block messages with the same repeating content, incorrectly identifying it as spam. To get around such problems, app developers often have to buy short codes (34412, as opposed to a long code number like 415 123 4567) or register alphanumeric sender IDs.

Rules and regulations vary, depending on geography, carrier, message type, number type and are constantly subject to change. It shouldn’t take a deep understanding of the complexities of the global communications infrastructure just to adequately verify your users.

Google looked to Twilio because of our vast experience in building up a communications platform that can reach nearly any phone on the planet, and the result is the Twilio Verification SDK for Android.

Benefits To Android Developers

In summary, here’s why using the SDK might make sense for you:

  • Abstracts Google Play Services: Twilio provides out-of-the-box integration with the Google Play Services functionality via a small, lightweight SDK
  • Total automation: End-to-end handling of the phone number verification process
  • Reduced developer time: Implement Google’s SMS Retriever API in a single sprint
  • Easy updates: Simplified phone verification can be added to all new, current, and legacy apps
  • Better end-user experience: Friction-free signup for your Android app using just a phone number
  • More successful SMS: Utilizing the Twilio Verification API, delivery of SMS is significantly more timely and reliable

SIGNAL Presentation

Twilio’s Serge Kruppa, Johanna Mantilla and Google’s Steven Soneff gave a talk at the SIGNAL user conference showing how this new SDK works. Watch the talk in the video below.

Getting Started

If you’re a developer building mobile apps on Android that use phone numbers to register and identify user accounts, you should be using Twilio Verification SDK for Android for the quickest way to solve the problem of providing a smooth, secure and easy sign-up flow.

Sign up for an account in the Twilio Console and then contact us to get access to the developer preview.

NOTE: Sorry, iOS developers. As Apple doesn’t allow apps to programmatically access iMessages or SMS, this SDK is only available on Google Android platforms.

  • paulotaylor

    Any plans to implement this for Outgoing Caller IDs? I understand that you can only add numbers to Outgoing Caller IDs via voice calls, is this correct?

  • Chris

    LOL – just as NIST bans SMS OTP, and the world is reeling from SS7 exploits and number porting, you guys think it’s a good idea to layer *more* security onto this fatally flawed and insecure protocol?

    Seriously??

    I know you’re a business and have to make money, but should’t you care about our security first?