Google announced today that it has made a new reCAPTCHA API available for Android.
The API is part of Google Play Services, Google said, and developers can now add the verification to mobile applications to distinguish between bots and human users.
The technology is more than a decade old and supplements authentication to a website. In the past, users had to decipher distorted text and enter it into a CAPTCHA to authenticate to a site. That evolved into identifying street signs and other images to prove to the application that a user was a human, and not an automated spammer or malicious program, for example.
The Android API will use Google’s Invisible reCAPTCHA, released this year, which now validates users in the background, forgoing the usual interaction users are familiar with.
“It will use our newest Invisible reCAPTCHA technology, which runs risk analysis behind the scene and has enabled millions of human users to pass through with zero click everyday,” said Wei Lu of Google’s reCAPTCHA team. “Now mobile users can enjoy their apps without being interrupted, while still staying away from spam and abuse.”
The Android API will be included with Google SafetyNet, a set of other security services and APIs that protect apps against device tampering, malicious URLs and harmful applications. The Safe Browsing API and Verify Apps API are also part of SafetyNet.
“Mobile developers can do both the device and user attestations in the same API to mitigate security risks of their apps more efficiently,” Lu said.
CAPTCHA systems are meant to be a barrier for spam bots and other automated crawlers. Humans were originally required to type in a word or phrase presented to them in a log-in dialogue box before being authenticated to the service. ReCAPTCHA’s release in 2007 was meant to simplify the experience for users.
A user’s reCAPTCHA experience requires clicking a checkbox attesting they are not a bot. Machine learning capabilities will either pass the user through or present a traditional CAPTCHA to ensure they are breathing person. Invisible reCAPTCHA does not require the checkbox, and only suspicious traffic is supposed to trigger a CAPTCHA verification requirement.
“The integration requires developers to set up Google Play services in their project and connect to Google API client before they invoke the reCAPTCHA API,” says a post on Google’s developer site. “This will either pass the user immediately (with No CAPTCHA) or challenge them to validate whether they’re human.”