Solved: Re: Using ReCaptcha from project A in application ...

Krzysztofix

Description:
Hello,
I’m using reCAPTCHA Enterprise in my Android app. Everything works correctly when the app is installed directly from Android Studio or via a locally signed APK. However, when I distribute the app via Google Play Console (App Tester or internal testing), the reCAPTCHA flow fails with a “Site key invalid” error and shows an endless loading spinner.
• The reCAPTCHA API is configured in Project B in Google Cloud.
• The Android app is associated with Project A in Google Cloud.
• The site key is configured with the correct package name, and the SHA-1 fingerprints (including the Google Play app signing certificate) have been added under API key restrictions.
• Play Integrity API is not currently enabled in Project B where reCAPTCHA is configured.

Questions:
1. Can reCAPTCHA be used across different Google Cloud projects (i.e., app in Project A using reCAPTCHA from Project B)? I have a login module that is shared across multiple apps.
2. Why does it work when sideloaded but not from the Play Console (Firebase app distribution)?

markcorner

"use a site key from outside the app project on Google Cloud" -> What does this mean? The sitekey is attached to your Google Cloud project. What do you mean by "app project"?

I am not sure what effect Internal App Sharing would have on reCAPTCHA. As I said, we don't see any logs from that sitekey or bundle identifier other than the ones I mentioned.

The SDK will return bad sitekey locally, without contacting our server and thus no logs, if you try to init the SDK with a different sitekey after initializing it once. Perhaps it also does if the sitekey is blank.

You should check the exception code as well.

View solution in original post

markcorner

The Invalid Sitekey issue is most likely due to not having configured the correct package name for that site key. Or using an "OnPlay" site key on a non GMSCore device, such as a device in China or a Fire device etc.

reCAPTCHA operates independently of Firebase's relationship with an app, so that shouldn't have anything to do with it.

Krzysztofix

Thanks for the reply!

1. It can't be the package name, it's correct, and for checking i,t even more,e I disabled the package name verification - still getting the `Site key Invalid`.
2. I am getting that error on my physical phone, with Google Services and I am not in China.
Do you know if there are some additional checks for compatibility like SHA-1 fingerprints in Google Cloud project inside the Android SDK?

I implemented recaptcha already in project B inside a different app. In project B in a console,I have the Recaptcha API configured.
In project A, I have a new app where the problem occurs.
Any thoughts?

markcorner

The SDK does not check for ownership of the app in those ways. The requirement is that the site key match the package configuration and what is sent by the app. I know you have checked, but there is probably a mismatch (copy paste error etc).

If you post your site key and what you believe your package name is I will try to take a look at our logs.

Krzysztofix

You state that the package name is incorrect, but as I said, the error still occurs even though I disabled `package name verification`. So it can't be the package. If it's not the package, then there are some additional requirements for the site key to match. Are there some Play Integrity checks during the recaptcha token retrieval on the Android side?

Post a site key? Do you mean posting a name or the value of a site key? I believe it's not safe to share the site key here.
Project name: KingsChat
Site key name: Android Production Kingspay
Site key required package name:
com.kingschat.kingspay
My app package name:
com.kingschat.kingspay

markcorner

We don't view sitekeys as sensitive. They are easily found in binaries (and even appear in the html of every website using reCAPTCHA). Is it possible you are trying to use the old key from your Android v2 integration (ends with k9xAO). That would also cause this issue.

It looks like you created new V3 keys yesterday and have assessments attached to them.

Krzysztofix

If so, this is the key I try to use:
*******************************.

I'm certain I don't use the old key from Safetynet for the new recaptcha Enterprise client. You can see that the key I mentioned is displayed as correctly integrated. It is working fine, but not on the builds that are signed by Google Play. On my local builds (staging/production and release builds) it works fine.

markcorner

I looked through the logs for events related to that sitekey or related to your package name. I see lots of "no network" errors from your roboelectric tests, and some success from an emulator, but no exceptions for bad sitekeys. There are less than 100 attempts to init the SDK.

So not really sure what is going on with your app.

Krzysztofix

Yep, it's not released to the whole audience, that's why there is not much attempts.

Am I able to see those logs also somewhere in the console? 🤔

Krzysztofix

Hey @markcorner , are you sure that it's possible to use a site key from outside the app project on Google Cloud?
It is weird that the recaptcha works when the same app build is signed locally(release key from Android Studio), but when installed through Internal App Sharing (Google Play) it doesn't work and returns "Invalid Site Key".
Any thoughts on why I have such behaviour?

markcorner

"use a site key from outside the app project on Google Cloud" -> What does this mean? The sitekey is attached to your Google Cloud project. What do you mean by "app project"?

I am not sure what effect Internal App Sharing would have on reCAPTCHA. As I said, we don't see any logs from that sitekey or bundle identifier other than the ones I mentioned.

The SDK will return bad sitekey locally, without contacting our server and thus no logs, if you try to init the SDK with a different sitekey after initializing it once. Perhaps it also does if the sitekey is blank.

You should check the exception code as well.

Krzysztofix

All problems were caused by my fault. It was not a problem of play app signing, but building the app on CI system. My service account used on CI didn't have the permissions to access the recaptcha site key. So in result, the site key I was using on that build was empty.
Thanks for the help @markcorner and sorry for taking your time.

markcorner

No worries, I am glad you sorted it out. Perhaps this will help someone in the future.

Webinar May 29th: Log Ingestion: Bindplane + Google SecOps

Using ReCaptcha from project A in application from project B in Google Cloud