By Third-party apps could be prevented from intercepting SMS containing 2FA codes.
Almost all major apps and services now use one-time passwords (OTPs) sent over SMS as a security measure. While they are less secure than utilizing a 2FA software, they are popular because they are simple and easy to use. Additionally, many websites and services do not offer alternate two-factor authentication methods. The difficulty is that on Android, giving an app notification access allows it to intercept crucial OTPs, posing a severe security risk. This may change in Android 15, as Google prevents untrusted apps from accessing such SMSes.
Mishaal Rahman, an Android expert writing for Android Authority, discovers a new RECEIVE_SENSITIVE_NOTIFICATIONS permission in Android 14 QPR3 Beta 1. With a “protectionLevel” of “role|signature,” the notice is only visible to OEM-signed or defined apps.
While it is unclear, Rahman believes that Google is unlikely to grant third-party apps access to this permission. This is because the permission is connected to a new in-development feature that will prohibit untrusted apps from accessing crucial alerts.
Google does not specifically label messages containing 2FA codes as sensitive in any of the permissions. However, Rahman highlighted the discovery of a “OTP_REDACTION” flag in Android 14 for “the redaction of OTP notifications on the lock screen.” This flag is not active in Android 14, but Google may activate it in Android 15 later this year. All of these changes appear to hint to the firm restricting access to OTP SMS to specific permitted apps.
Google has made significant progress in strengthening the security and privacy of Android users in recent years. Preventing third-party apps from intercepting OTP texts could be another step in that direction, especially since Android malware frequently exploits this mechanism.
Currently, any Android app with notification access can intercept and read SMS with a one-time password, posing a significant privacy concern. However, this security feature is expected to prevent third-party apps from automatically reading and entering OTPs on a payment page. This is a common behavior in many apps, including Amazon, in areas where an OTP is required for payment verification.
Google may discuss this new security feature when it publicly introduces Android 15 at Google I/O 2024 later this year.
Visits: 127
