Summary
- Android could enhance security by restricting sensitive notification access to authorized apps, preventing OTP interception by third-party apps.
- New “receive sensitive notifications” permission in Android 14 QPR3 Beta 1 could be a step toward protecting sensitive information like OTPs.
- Google’s potential move to block untrusted apps from viewing OTP notifications shows commitment to user security and privacy.
One-time passwords (OTPs) over SMS have become a common security option across almost all major apps and services. While basic and less secure than using a 2FA app, they are popular because of their simplicity and ease of use. Plus, many websites and services don’t support alternative two-factor authentication methods. The problem is that on Android, when you give notification access to an app, it can also intercept sensitive OTPs, posing a significant security risk. This might change in Android 15, with Google preventing untrusted apps from accessing such SMSes.
Android 15: News, leaks, timeline, and everything new in DP1
Here’s what we know about Android 15 now that the first developer preview has landed
Android guru Mishaal Rahman, writing for Android Authority, reveals finding a new RECEIVE_SENSITIVE_NOTIFICATIONS permission in Android 14 QPR3 Beta 1. With a “protectionLevel” of “role|signature,” only selected OEM signed or specified apps can view the notification.
While not yet clear, Rahman speculates that Google is unlikely to provide third-party apps access to this permission. This is due to the permission being linked to a new in-development feature that would prevent untrusted apps from accessing sensitive notifications.
Google does not explicitly mention texts with 2FA codes as sensitive in any of the permissions. However, Rahman highlights finding an “OTP_REDACTION” flag in Android 14 for “the redaction of OTP notifications on the lock screen.” This flag is not active in Android 14, but Google could enable it with Android 15 later this year. All these changes purportedly point to the company restricting access to OTP texts to selected authorized apps.
Google has made huge strides in improving the security and privacy of Android users in the last few years. Preventing third-party apps from intercepting OTP texts could be another move in that direction, especially since Android malware tend to abuse this method.
Right now, any Android app with notification access can intercept and read texts containing a one-time password, posing a major privacy risk. However, this security feature will likely prevent third-party apps from automatically reading and filling in OTPs on a payment page. This is a common behavior in many apps, including Amazon, in countries where an OTP is required for payment confirmation.
We could see Google talk about this new security feature when it publicly announces Android 15 at Google I/O 2024 later this year.