Phone auth doesn't work with custom android ROMs

[hermitdemschoenenleben]

first of all: thanks for this great plugin!

I'm using it for an app that now has a few thousands users and in principle everything works fine. I do receive some bug reports of users not being able to login, though, and it turns out that they are all using custom Android ROMs (mainly lineageos).

When inspecting the logcat of a lineageos device, I found these lines:

05-26 13:23:57.216  6307  6307 E zzbf    : SafetyNet Attestation fails basic integrity.
05-26 13:23:57.818  6307 14612 E FirebaseAuth: [GetAuthDomainTask] Error getting project config. Failed with INVALID_CERT_HASH 400
05-26 13:23:57.913  6307  6307 E zzf     : Failed to get reCAPTCHA token with error [There was an error while trying to get your package certificate hash.]- calling backend without app verification
05-26 13:23:58.308  6307  6307 W PhoneProviderHandler: PhoneAuth:onVerificationFailed:com.google.firebase.auth.FirebaseAuthException: This request is missing a valid app identifier, meaning that neither SafetyNet checks nor reCAPTCHA checks succeeded. Please try again, or check the logcat for more details.

In order to fix the problem, I

• Copied SHA1 and SHA256 from Play App Signing to firebase console
• Ran signingReport from Android Studio and copied debug SHA1 and SHA256 to firebase console as well
• Enabled android device verification API
• Added implementation 'androidx.browser:browser:1.3.0' to my app/build.gradle dependencies section

but the problem persists. Do you have any ideas on what may be causing this or how to fix this issue?

(I also asked a question at stackoverflow, but on answer so far: https://stackoverflow.com/questions/67704160/firebase-phone-auth-doesnt-work-on-lineageos )

[hermitdemschoenenleben]

ok, I found the problem: it is not caused by capacitor-firebase-auth (sorry for the issue)

For some reason, google-services.json did not include my play store signing SHA1 key, despite it being present in firebase admin console. Solution: I removed the SHA1 key and added it again... Afterwards, google-services.json included my release SHA1 and phone auth works even on lineageos.

Apparently SHA256 is required for phone verification using safetynet which works on standard androids, and SHA1 is only required for the recaptcha flow which is required on non-standard androids. This explains why it worked for the vast majority of users.