The SafetyNet service includes a reCAPTCHA API that you can use to protect your
app from malicious traffic.
reCAPTCHA is a free service that uses an advanced risk analysis engine to
protect your app from spam and other abusive actions. If the service suspects
that the user interacting with your app might be a bot instead of a human, it
serves a CAPTCHA that a human must solve before your app can continue executing.
This document explains how to integrate the reCAPTCHA API from SafetyNet into
your app.
Additional terms of service
By accessing or using the reCAPTCHA API, you agree to the
Google APIs Terms of
Service
and to the following reCAPTCHA
Terms of Service.
Please read and understand all applicable terms and policies before accessing
the APIs.
reCAPTCHA Terms of Service
You acknowledge and understand that the reCAPTCHA API works by collecting
hardware and software information, such as device and application data and the
results of integrity checks, and sending that data to Google for analysis.
Pursuant to Section 3(d) of the Google APIs Terms of Service, you agree that if
you use the APIs that it is your responsibility to provide any necessary notices
or consents for the collection and sharing of this data with Google.
Register a reCAPTCHA key pair
To register a key pair for use with the SafetyNet reCAPTCHA API, navigate to the
reCAPTCHA Android signup site
,
then complete the following sequence of steps:
In the form that appears, provide the following information:
- Label:
A unique label for your key. Typically, you use the name of
your company or organization.
- reCAPTCHA type:
Select
reCAPTCHA v2
, then
reCAPTCHA Android
.
- Packages:
Provide the package name of each app that uses this
API key. In order for an app to use the API, the package name that you
enter must exactly match the app's package name. Enter each
package name on its own line.
- Owners:
Add an email address for each individual in your organization
who monitors your app’s reCAPTCHA assessments.
Select the
Accept the reCAPTCHA Terms of Service
checkbox.
Send alerts to owners:
Select this checkbox if you want to receive
emails about the reCAPTCHA API, then click
Submit
.
On the page that appears
next, your public and private keys appear under
Site key
and
Secret
key
, respectively. You use the site key when you
send the verify
request
, and you use the secret key when you
validate the
user response token
.
Add the SafetyNet API dependency
Before using the reCAPTCHA API, add the SafetyNet API to your project.
If you are using Android Studio, add this dependency to your app-level Gradle
file. For more information, see
SafetyNet API setup
.
Use the reCAPTCHA API
This section describes how to call the reCAPTCHA API to send a CAPTCHA
verification request and receive the user response token.
Send the verify request
To invoke the SafetyNet reCAPTCHA API, you call the
verifyWithRecaptcha()
method. Usually, this method corresponds to the user's selecting a UI element,
such as a button, in your activity.
When using the
verifyWithRecaptcha()
method in your app, you must do the following:
- Pass in your API site key as a parameter.
- Override the
onSuccess()
and
onFailure()
methods to handle both possible outcomes of the verification request task. In
particular, if the API passes an instance of
ApiException
into
onFailure()
,
you need to handle each possible status code that you can retrieve using
getStatusCode()
.
The following code snippet shows how to invoke this method:
Kotlin
fun onClick(view: View) {
SafetyNet.getClient(this).verifyWithRecaptcha(
YOUR_API_SITE_KEY
)
.addOnSuccessListener(this as Executor, OnSuccessListener { response ->
// Indicates communication with reCAPTCHA service was
// successful.
val userResponseToken = response.tokenResult
if (response.tokenResult?.isNotEmpty() == true) {
// Validate the user response token using the
//
reCAPTCHA siteverify API
.
}
})
.addOnFailureListener(this as Executor, OnFailureListener { e ->
if (e is ApiException) {
// An error occurred when communicating with the
// reCAPTCHA service.
Refer to the status code
to
// handle the error appropriately.
Log.d(TAG, "Error: ${CommonStatusCodes.getStatusCodeString(e.statusCode)}")
} else {
// A different, unknown type of error occurred.
Log.d(TAG, "Error: ${e.message}")
}
})
}
Java
public void onClick(View v) {
SafetyNet.getClient(this).verifyWithRecaptcha(
YOUR_API_SITE_KEY
)
.addOnSuccessListener((Executor) this,
new OnSuccessListener<SafetyNetApi.RecaptchaTokenResponse>() {
@Override
public void onSuccess(SafetyNetApi.RecaptchaTokenResponse response) {
// Indicates communication with reCAPTCHA service was
// successful.
String userResponseToken = response.getTokenResult();
if (!userResponseToken.isEmpty()) {
// Validate the user response token using the
//
reCAPTCHA siteverify API
.
}
}
})
.addOnFailureListener((Executor) this, new OnFailureListener() {
@Override
public void onFailure(@NonNull Exception e) {
if (e instanceof ApiException) {
// An error occurred when communicating with the
// reCAPTCHA service.
Refer to the status code
to
// handle the error appropriately.
ApiException apiException = (ApiException) e;
int statusCode = apiException.getStatusCode();
Log.d(TAG, "Error: " + CommonStatusCodes
.getStatusCodeString(statusCode));
} else {
// A different, unknown type of error occurred.
Log.d(TAG, "Error: " + e.getMessage());
}
}
});
}
Validate the user response token
When the reCAPTCHA API executes the
onSuccess()
method, the user has successfully completed the CAPTCHA challenge. However, this
method only indicates that the user has solved the CAPTCHA correctly. You still
need to validate the user's response token from your backend server.
To learn how to validate the user's response token, see
Verifying the user's
response
.