Swiggy • Karandeep Singh • Sep 20, 2022

Consent Matters

M6 Related OWASP risk: Inadequate Privacy Controls Learn more →

Article Summary

Swiggy's Android team faced a UX dilemma: auto-reading OTPs felt magical to some users, creepy to others. How do you balance convenience with transparency?

The Swiggy engineering team shares how they evolved their OTP verification approach from silent SMS reading to user-consented verification. This shift improved both user trust and conversion rates across login, signup, and payment flows.

Key Takeaways

SMS Retriever API caused user anxiety: no permission prompt but automatic OTP reading
SMS User Consent API adds transparency with a simple user approval prompt
Extended OTP capture to wallet linking and bank transactions across providers
Achieved 2% improvement in bank transaction success rates post-implementation

Critical Insight

By switching to Google's SMS User Consent API, Swiggy gained user trust through transparency while improving payment success rates by 2%.

The article includes actual code snippets showing how to implement the BroadcastReceiver pattern for multi-SMS listening scenarios.

About This Article

Problem

Swiggy's SMS Retriever API couldn't handle OTPs that didn't match expected formats. This became a real problem when trying to link third-party wallets or process bank transactions, since each provider uses different message protocols.

Solution

Karandeep Singh's team switched to Google's SMS User Consent API instead. This new approach reads multiple SMS messages without needing to know the format beforehand, so it works with all the different banking and wallet providers out there.

Impact

After the rollout, OTP verification worked smoothly for signups, logins, wallet linking, and bank transactions. The team didn't receive a single complaint from users.