I’m building an Android app where OTPs (received via SMS) need to be redirected from a primary device to a companion device for approval. The flow is as follows:
- The “normal” user receives an OTP SMS on their device.
- The OTP is programmatically redirected to a “companion” user/device, who can then approve or reject the action.
- This setup may be used for different apps (so the OTPs could be for various services).
My questions:
- Which core functionality should I select in the Google Play Permissions Declaration Form for
RECEIVE_SMS?
The closest match seems to be “Connected device companion apps (for example, smartwatch or automotive)”, but I’m unsure if my use case fits, especially since the companion might not always be the same Google account/user as the primary device. - Does Google Play policy allow SMS permissions for OTP redirection/approval if the companion and primary users are different people (not the same account)?
- Are there alternative architectures or APIs (such as SmsRetriever) that would allow me to implement this functionality without requesting SMS permissions, especially for cross-user/device scenarios?
- If my use case is not compliant, what is the recommended way to handle OTP approvals across devices/users without risking Play Store rejection?
Additional context:
- I’ve reviewed the Google Play policy on SMS/Call Log permissions, but the requirements around cross-device/cross-user scenarios are not clear.
- My app was rejected with the message:
*“You declared that your permission use case is the core functionality of your app. However, after review, we found that your app does not match the declared use case(s).”
Any advice or code samples for a compliant implementation would be greatly appreciated!