Firebase Phone Auth with Firebase UI has SafetyNet issue

Question

Tried to add another app on the same Firebase project since both app are related to each other, now we have two app in one Firebase project with different package name but same keystore was used so the release SHA1 and SHA256 is the same as well.

Enabled Android Device Verification in Cloud Console so CAPTCHA is no longer needed.

Add both app package name and SHA1 to Credentials.

Launch the second newly added app then test a Phone Auth.

Received an unknown error with Firebase UI.

Logs:

2021-03-23 23:48:12.109 9350-9350/com.new.added.app E/g0: SafetyNet Attestation has advice: 
    LOCK_BOOTLOADER
2021-03-23 23:48:12.642 9350-10676/com.new.added.app E/FirebaseAuth: [GetAuthDomainTask] Error getting project config. Failed with INVALID_CERT_HASH 400
2021-03-23 23:48:12.745 9350-9350/com.new.added.app E/r0: Failed to get reCAPTCHA token with error [There was an error while trying to get your package certificate hash.]- calling backend without app verification
2021-03-23 23:48:13.179 9350-9453/com.new.added.app E/FirebaseAuth: [SmsRetrieverHelper] SMS verification code request failed: unknown status code: 17093 null
2021-03-23 23:48:13.192 9350-9350/com.new.added.app E/AuthUI: A sign-in error occurred.
    com.google.firebase.auth.p: This request is missing a valid app identifier, meaning that neither SafetyNet checks nor reCAPTCHA checks succeeded. Please try again, or check the logcat for more details.
        at c.c.a.d.f.h.tk.a(com.google.firebase:firebase-auth@@20.0.3:26)
        at c.c.a.d.f.h.yl.a(com.google.firebase:firebase-auth@@20.0.3:1)
        at c.c.a.d.f.h.zl.run(com.google.firebase:firebase-auth@@20.0.3:3)
        at android.os.Handler.handleCallback(Handler.java:794)
        at android.os.Handler.dispatchMessage(Handler.java:99)
        at android.os.Looper.loop(Looper.java:176)
        at android.app.ActivityThread.main(ActivityThread.java:6651)
        at java.lang.reflect.Method.invoke(Native Method)
        at com.android.internal.os.RuntimeInit$MethodAndArgsCaller.run(RuntimeInit.java:547)
        at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:824)

I noticed that this happened on selected device, I tried to run the release apk and it works with Xiaomi Redmi Note 2 SDK 21 (without SIM) and Mi 90T Pro SDK 29 (with SIM) but error occurred with Redmi 5A (without SIM). I think it has to do with how SafetyNet work after enabling Android Device Verification API, if someone can explain it will be very appreciated and helpful. TIA

Update:

I discovered that if the device bootloader was unlocked even it is not rooted, the Firebase Auth SafetyNet fails to work.

Reference: https://forum.xda-developers.com/t/just-unlocking-the-bootloader-breakes-safety-net-and-make-device-unverified.4146761/ https://xiaomi.eu/community/threads/unlock-bootloader-and-banking-apps.56312/

Is there any work around for this since most non advance user may not be aware of this?

Answer 1

If your device bootloader is in unlocked state then you need to lock it . I also faced the similar issue , in case of unlocked bootloader i was able to login in app but reCAPTCHA was visible everytime and project url was coming in OTP sms .

As per firebase the device will not pass safetynet checks if :

1. Android Device Verification in Cloud Console is not enabled for the app .

2. The user does not have Google Play Services support or When you are testing your app on an emulator.

3. Your device does not pass suspicion checks means if your device is rooted or device bootloader is in UNLOCKED state .

In case of unlocked bootloader user will be redirected to reCAPTCHA every-time even if you have enabled Android Device Verification .

For more info about how to lock bootloader check this