auth/missing-client-identifier - only for 8% of my Android production user base

[bdelbasso]

Hi

I've integrated Firebase SMS authentication to my mobile app and it's working fine in production, on both iOS and Android. Except for a small percentage of the user-base that is getting the following error:

[auth/missing-client-identifier] This request is missing a valid app identifier, meaning that neither SafetyNet checks nor reCAPTCHA checks succeeded. Please try again, or check the logcat for more details.

I'm monitoring this error through Sentry installed in the app and only %8 of my user base is getting it, across all Android versions.

There is plenty of documentation of the web for this error, and I think I've checked quite all of it.
Thus, the question: why is it failing for only 8% of the user base?

Checks

• Google "Android Device Verification" API is active and getting traffic. Google Cloud Console does not show any error, only HTTP 200 requests.

• In Firebase project, the SHA-1 and SHA-256 fingerprints are set. I did "Add fingerprint" again in the Firebase console (without removing the current ones): no new fingerprints were added, so I assume that they do match perfectly.

  • There are four fingerprints (two SHA-1, two SHA-256) all listed in the Google Play Console > (my app) > Setup > App Integrity : two from the upload keystore, and two from Google own signing key.
  • The two from the upload keystone match perfectly what I can get locally with keytool -list -v -alias my_app -keystore my_app.keystore

• Re-downloaded google-services.json => it matches perfectly the current one (except there is no newline at the end of the file).

• Presence of implementation "androidx.browser:browser:1.3.0"=> check.

Additional information

Version of react-native-firebase: 10.1.0

Note: while checking, I found a mismatch in package.json): package auth is having a different patch number. Will fix this ASAP in next release by upgrading all packages to ^10.8.1.

"@react-native-firebase/analytics": "^10.1.0",
"@react-native-firebase/app": "^10.1.0",
"@react-native-firebase/auth": "^10.1.1",

Help greatly needed.

Thanks !

[mikehardy]

Unfortunately (fortunately?) you appear to have done everything I can think of. If SafetyNet is getting traffic, that will get most - then if the device is rooted or something the reCAPTCHA should get the rest. Have you verified reCAPTCHA is set up? If you use an emulator or rooted phone it should send you on the reCAPTCHA flow for testing

We don't have the API that forces reCAPTCHA flow exposed unfortunately - see #4744 (comment)

Newest Huawei phones should be likely reproducers if reCAPTCHA isn't working #4744 - I'm not sure of the easiest way to test reCAPTCHA flow otherwise, but I think it's just trying phone auth on an emulator

[bdelbasso]

Interesting. That's what I get in the simulator, when not using a phone number registered as "test number" in the Firebase console.

Googling it seems that I'm missing a SHA-1 key, but which one?

05-02 00:29:10.680  8763  8928 E FirebaseAuth: [GetAuthDomainTask] Error getting project config. Failed with {
05-02 00:29:10.680  8763  8928 E FirebaseAuth:   "error": {
05-02 00:29:10.680  8763  8928 E FirebaseAuth:     "code": 400,
05-02 00:29:10.680  8763  8928 E FirebaseAuth:     "message": "INVALID_CERT_HASH : Client does not match API key",
05-02 00:29:10.680  8763  8928 E FirebaseAuth:     "errors": [
05-02 00:29:10.680  8763  8928 E FirebaseAuth:       {
05-02 00:29:10.680  8763  8928 E FirebaseAuth:         "message": "INVALID_CERT_HASH : Client does not match API key",
05-02 00:29:10.680  8763  8928 E FirebaseAuth:         "domain": "global",
05-02 00:29:10.680  8763  8928 E FirebaseAuth:         "reason": "invalid"
05-02 00:29:10.680  8763  8928 E FirebaseAuth:       }
05-02 00:29:10.680  8763  8928 E FirebaseAuth:     ]
05-02 00:29:10.680  8763  8928 E FirebaseAuth:   }
05-02 00:29:10.680  8763  8928 E FirebaseAuth: }
05-02 00:29:10.680  8763  8928 E FirebaseAuth:  400
05-02 00:29:10.683   277   319 D goldfish-address-space: allocate: Ask for block of size 0x510000
05-02 00:29:10.683   277   319 D goldfish-address-space: allocate: ioctl allocate returned offset 0x1fd33c000 size 0x514000
05-02 00:29:10.691   483  2712 W InputReader: Device virtio_input_multi_touch_9 is associated with display ADISPLAY_ID_NONE.
05-02 00:29:10.691   483  2712 W InputReader: Device virtio_input_multi_touch_4 is associated with display ADISPLAY_ID_NONE.
05-02 00:29:10.691   483  2712 W InputReader: Device virtio_input_multi_touch_5 is associated with display ADISPLAY_ID_NONE.
05-02 00:29:10.691   483  2712 W InputReader: Device virtio_input_multi_touch_2 is associated with display ADISPLAY_ID_NONE.
05-02 00:29:10.691   483  2712 W InputReader: Device virtio_input_multi_touch_10 is associated with display ADISPLAY_ID_NONE.
05-02 00:29:10.691   483  2712 W InputReader: Device virtio_input_multi_touch_6 is associated with display ADISPLAY_ID_NONE.
05-02 00:29:10.691   483  2712 W InputReader: Device virtio_input_multi_touch_3 is associated with display ADISPLAY_ID_NONE.
05-02 00:29:10.691   483  2712 W InputReader: Device virtio_input_multi_touch_7 is associated with display ADISPLAY_ID_NONE.
05-02 00:29:10.691   483  2712 W InputReader: Device virtio_input_multi_touch_8 is associated with display ADISPLAY_ID_NONE.
05-02 00:29:10.691   483  2712 W InputReader: Device virtio_input_multi_touch_11 is associated with display ADISPLAY_ID_NONE.
05-02 00:29:10.691   483  2712 W InputReader: Device virtio_input_multi_touch_9 is associated with display ADISPLAY_ID_NONE.
05-02 00:29:10.691   483  2712 W InputReader: Device virtio_input_multi_touch_4 is associated with display ADISPLAY_ID_NONE.
05-02 00:29:10.691   483  2712 W InputReader: Device virtio_input_multi_touch_5 is associated with display ADISPLAY_ID_NONE.
05-02 00:29:10.691   483  2712 W InputReader: Device virtio_input_multi_touch_2 is associated with display ADISPLAY_ID_NONE.
05-02 00:29:10.691   483  2712 W InputReader: Device virtio_input_multi_touch_10 is associated with display ADISPLAY_ID_NONE.
05-02 00:29:10.691   483  2712 W InputReader: Device virtio_input_multi_touch_6 is associated with display ADISPLAY_ID_NONE.
05-02 00:29:10.691   483  2712 W InputReader: Device virtio_input_multi_touch_3 is associated with display ADISPLAY_ID_NONE.
05-02 00:29:10.691   483  2712 W InputReader: Device virtio_input_multi_touch_7 is associated with display ADISPLAY_ID_NONE.
05-02 00:29:10.691   483  2712 W InputReader: Device virtio_input_multi_touch_8 is associated with display ADISPLAY_ID_NONE.
05-02 00:29:10.691   483  2712 W InputReader: Device virtio_input_multi_touch_11 is associated with display ADISPLAY_ID_NONE.
05-02 00:29:10.695  8763  8763 E zzf     : Failed to get reCAPTCHA token - calling backend without app verification

[mikehardy]

For dev builds it's the one from your keystore, for release builds (assuming you are using App Bundles / abb ?) it's the one that google (not you) signs with which you get from the playstore. This is actually a positive development though I think. Reproduction == fix (given enough time). Now that you can reproduce it you're on the right track and you'll get the config nailed down