Research
Security News
Malicious npm Packages Inject SSH Backdoors via Typosquatted Libraries
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
cordova-plugin-sms-retriever
Advanced tools
License | Platform | Contribute |
---|---|---|
Cordova plugin to receive verification SMS in Android using the SMS Retriever API.
Add the plugin with Cordova CLI (v6 or later):
cordova plugin add cordova-plugin-sms-retriever
Add the dependent cordova-support-google-services plugin:
cordova plugin add cordova-support-google-services
Create your project and Android app in Firebase Console, then download the google-services.json file into your platforms/android
folder.
Sign your APK with a keystore file if you haven't done it already.
Start listening for a single incoming verification SMS. This will later raise the onSMSArrive event when a valid SMS arrives. Example usage:
SMSRetriever.startWatch(function(msg) {
// Wait for incoming SMS
console.log(msg);
}, function(err) {
// Failed to start watching for SMS
console.error(err);
});
Notice: The API will timeout 5 minutes after starting if no valid SMS has arrived. Also, the API stops listening for SMS after a valid SMS has been detected.
Get the 11-character hash string for your app using the AppSignatureHelper class.
SMSRetriever.getHashString(function(hash) {
// Hash string returned OK
console.log(hash);
}, function(err) {
// Error retrieving hash string
console.error(err);
});
Warning: Google advices against dynamically retrieving your hash code before sending the SMS:
Do not use hash strings dynamically computed on the client in your verification messages.
Therefore, do not invoke this method from the published app. The hash is the same for all users, and bound to your keystore signing keys, so you can get it once and never again call the getHashString()
method.
Triggered when a verification SMS with the proper 11-character hash string has arrived. You need call startWatch() first. Example usage:
document.addEventListener('onSMSArrive', function(args) {
// SMS arrived, get its contents
console.info(args.message);
// To Do: Extract the received one-time code and verify it on your server
});
The verification SMS message you send to the user must:
Be no longer than 140 bytes
Begin with the prefix <#>
Contain a one-time code that the client sends back to your server to complete the verification flow
End with an 11-character hash string that identifies your app
Otherwise, the contents of the verification message can be whatever you choose. It is helpful to create a message from which you can easily extract the one-time code later on. For example, a valid verification message might look like the following:
<#> 123ABC is your ExampleApp code. FAw9qCX9VSu
To test this plugin in a Cordova app using the provided sample:
www
folder with the one provided here at the demo
folderHere are some screens from the SMSReceiverDemo sample app included in the demo folder. Feel free to try this demo in whatever device you find.
This plugin requires the Google Play Services version 10.2 or newer in order to work properly. You must also install the Google Play Services support plugin as explained in the Install section.
The plugin will work in your emulator as long as you are using a Google Play ABI or System Image, instead of the regular Google APIs ones. This is because these images include the Google Play Store and Google Play Services.
When the app is sent to the background, as long as Android has not unloaded it to recover memory, SMS watching will remain active and working correctly for 5 minutes.
No, the plugin does not require any kind of permissions because it relies on the SMS Retriever API created by Google.
I have tested this plugin with success on:
Please consider contributing with a small donation using the PayPal button if you like this plugin and it works as expected. No PayPal account is needed.
For support, you may post in the Issues section. Be aware that I don't have much time for dealing with Java and the Android APIs, so before you start complaining that X does not work, make sure to compare the plugin behavior across different devices and emulators in order to locate the exact source of the problem.
If you are convinced that the plugin needs to be fixed / updated, kindly post your issue in full detail, including Android version, device brand and name, Cordova and cordova-android versions.
Please don't expect me to instantly reply with a magical solution or a new plugin version, but I'll try to help in whatever I can. I'm interested in mantaining this plugin in a working condition, so try to send useful, constructive feedback whenever possible.
FAQs
Cordova plugin to retrieve SMS in Android using the SMS Retriever API.
The npm package cordova-plugin-sms-retriever receives a total of 129 weekly downloads. As such, cordova-plugin-sms-retriever popularity was classified as not popular.
We found that cordova-plugin-sms-retriever demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 0 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
Security News
MITRE's 2024 CWE Top 25 highlights critical software vulnerabilities like XSS, SQL Injection, and CSRF, reflecting shifts due to a refined ranking methodology.
Security News
In this segment of the Risky Business podcast, Feross Aboukhadijeh and Patrick Gray discuss the challenges of tracking malware discovered in open source softare.