firebase-auth-ktx: Users being erroneously signed out since 23.2.1

[dlgrech]

[READ] Step 1: Are you in the right place?

Yep - this is about a specific firebase-auth library version

[REQUIRED] Step 2: Describe your environment

• Android Studio version: Narwhal 2025.1.1 RC 1
• Firebase Component: firebase-auth-ktx (Database, Firestore, Storage, Functions, etc)
• Component version: com.google.firebase:firebase-auth-ktx:23.2.1

[REQUIRED] Step 3: Users being erroneously signed out since 23.2.1

Steps to reproduce:

We're getting a deluge of reports of users being signed out (that is, their firebase auth currentUser becoming null despite recently authenticating).

I can see in adb logs that my FirebaseAuth.AuthStateListener is firing with a null currentUser property.

I also see this being logged by the auth SDK internally:

D FirebaseAuth: Notifying id token listeners about a sign-out event.
D FirebaseAuth: Notifying auth state listeners about a sign-out event.

I was previously using 23.2.0 with no problems. I see in the changelog for 23.2.1 that this version added "Enhanced security by adding encryption to Firebase Authentication data inside Android persistent storage.".

I suspect this encryption/decryption is failing for some users and reporting that the user is no longer logged in.

I have tried downgrading the library but this will seem to force all existing users to log in again (presumably because the newer library version was storing things in an encrypted fashion that older versions cannot decrypt), so i'm stuck here with no recourse for these users.

Relevant Code:

I'm detecting this situation with a FirebaseAuth.AuthStateListener

Firebase.auth.addAuthStateListener {
  val hasAuthToken = auth.currentUser != null
  // Log here..
}

[google-oss-bot]

I found a few problems with this issue:

• I couldn't figure out how to label this issue, so I've labeled it for a human to triage. Hang tight.
• This issue does not seem to follow the issue template. Make sure you provide all the required information.

[pamartineza]

@dlgrech same situation here.

I have noticed that many users reporting this issue have just changed to a new device.

Could it be related to the user preferences backup migrated from the previous device not working on the new device?

[dlgrech]

Could certainly be! I've disabled backups in our latest version, and also trying to clear all shared_pref files on logout too.

Hopefully it helps stop users running into it, but it'd be great to get some recourse in the SDK itself as well :D

[lehcar09]

Hi @dlgrech, thank you for reaching out. I tried reproducing the issue, however, I did not encounter the behavior where the user is signed out.

By any chance, where you able to reproduce the issue? Or have you observed if there's an action that's causing this? Could you share what method are you using?

Based on our release notes, I suspect that this could be due to the enhanced security on the data inside Android persistent storage.

[dlgrech]

Hi @lehcar09!

I'm not able to organically reproduce it, but the way i've been simulating it is to:

• Build an app with v23.2.1 of the firebase-auth-ktx library, and log in (im using phone auth, but I suspect any auth method would do)
• Verify a com.google.firebase.auth.api.Store.** shared_prefs file is created with an ENCRYPTED: value
• Build the app with v23.2.0 of the firebase-auth-ktx library and start the app
• Observe that a Firebase.auth.addAuthStateListener {} receives a callback with currentUser == null (presumably because reading the stored encrypted token values can not be decrypted).

[pamartineza]

@dlgrech @lehcar09 I bring some more data pointing to encrypted prefs being the culprit.

• Users contact us via customer support because every time they enter the app (cold start), they have to sign in again, or if they were just anonymous users, they have lost all their favorites/user data. (Lost forever, anonymous users can't be linked again with their data stored in Firebase using their UID)

• We have verified that 100% users reporting the problem have just changed to a new device.

• If they delete the app and reinstall it, the login issue persists

• If they go to "Settings > Applications > our application > Storage and Cache" and delete the memory and cache, the issue disappears, and they have no more login problems. (The login state is persisted successfully)

What I guess is happening is the Encrypted Preferences containing the login state are backed up in the old device and restored in the new device, but the App instance in the new device can't read them, probably because the encryption key is derived or stored somehow in the old device, and the new device derives a different key or simply is not part of the restored data.

As a result, every time they open the app (cold start), a new anonymous Firebase user is created, and from the user's point of view, "all the data seems to have disappeared."

While we wait for a fix from the Firebase team, we have decided to disable backups, just in case more devs want to know how:

In your AndroidManifest.xml add these lines

android:allowBackup="false"
android:fullBackupContent="false"
android:dataExtractionRules="@xml/data_extraction_rules"

In the xml/data_extracion_rules.xml

<data-extraction-rules>
    <cloud-backup include="false" />
    <device-transfer include="false" />
</data-extraction-rules>

[lehcar09]

Thank you for those details @dlgrech and @pamartineza. I was able to replicate the behavior. Per checking, this was indeed related to the security enhancement that was released in the version 23.2.1.

Let me raise this to our engineers to see what we can do here. Thanks!