How to check user entered own phone number in EditText?

Question

Mobile number will be entered in an edittext by user on registration page in my Android application. How can I check that user entered his/her mobile number not other\'s ?

Answer 1

Getting the phone number using getLine1Number() is not secure nor certain.

It is generally accepted because this whole "getting the phone number" is clash of multiple issues such as user's privacy, carrier's branding, and even the vendor's.

Anyway, unlike ios, android's android.provider.Telephony.SMS_RECEIVED makes the whole process very convenient and seemless to the user: You get to capture the sms and read it without any need of the user's intervention.

What is one way of doing it?

On your server, upon receiving the request to verify a phone number, you should generate a secret code, tokenSent, and send it to the app. Now, your server should send this code by sms to the specified phone number. The app by now should have a registered receiver listening for the android.provider.Telephony.SMS_RECEIVED intent. Once received, the app verifies that the tokenSent is identical to what it received from the server. At this point, phone registration is done and the server can be notified.

What could go wrong?

Generally, such apps are usually paid apps and it is not the user's good to attempt anything. Still, the user might enter a wrong number which he right now has. Then upon receiving the sms, he could forward it to the mobile where the app is registering. The app will then receive the tokenSent and wrongly verify the phone number.

How can we tackle this?

The feasibility of the solution depends on whether the sms provider allows your server to know the sender's phone number. This is probably (AFAIK) not gonna happen but if it does then you're in luck. That way, the app can, upon receiving the tokenSent, send it back to the server along with the sender of the sms. The server then can verify that this is the sms that was originated from your service provider.

Any more feasible solution? (If I am really paranoid)

In this case, the best solution, I believe, would be to request a tokenSent from your server. The server saves a generated tokenSent along with the phone number entered and sends this token to the app. The app notifies the user that registration will cost him 1 sms. Once the user accepts, you can easily send an sms in the background containing this tokenSent to a certain service. The server, once receives this tokenSent verifies the user using the token and the sender of the sms. Of course, this may seem a bit harassing and infringing to the user but it is the most secure way especially for such a paranoid (reading this part).

Formalities :P

Add Permissions in Manifest

Register the receiver (Do this just before you send the sms to the phone)

registerReceiver(new BroadcastReceiver() {

    @Override
    public void onReceive(Context context, Intent intent) {
        if (intent.getExtras() != null)
        {
            Object[] pdus = (Object[]) intent.getExtras().get("pdus");
            SmsMessage[] msgs = new SmsMessage[pdus.length];            
            for (int i=0; i