• Google may be cracking down on a known Android security attack method in Android 15.
  • Malicious apps that can read your notifications can intercept one-time passwords (OTPs) and hijack your accounts, and Google wants to prevent this.
  • Code within Android 15 suggests Google might stop untrusted apps from reading notifications with OTPs.

It’s crucial to secure your online accounts to prevent them from being accessed by hackers. To enhance security, consider using a passcode or enabling two-factor authentication (2FA) whenever possible. While some forms of 2FA offer better security than others, certain platforms only support basic methods where one-time passwords (OTPs) are sent via email or text. Although these methods are convenient as they require no additional setup, they are less secure and more susceptible to interception. Luckily, Android 15 may introduce a new feature to protect your OTPs from being accessed by malicious Android apps.

In my exploration of the Android 14 QPR3 Beta 1 update, I came across a new permission called RECEIVE_SENSITIVE_NOTIFICATIONS. This permission has a protection level of role|signature, indicating it can only be granted to applications with the necessary role or to applications signed by the OEM. While the specific role granting this permission hasn’t been defined yet, it seems likely that Google does not intend to make this permission available to third-party apps.

I believe this permission is associated with a new upcoming platform feature designed to hide sensitive notifications from unauthorized apps that utilize a NotificationListenerService. This API allows apps to access and interact with all notifications. Users must manually grant apps permission in Settings before they can utilize the NotificationListenerService API.

Considering the significant capabilities of this permission and API, it’s understandable that Google aims to restrict the data access granted to apps. While the definition of an “untrusted” app remains unclear, it’s probable that it includes apps lacking the new RECEIVE_SENSITIVE_NOTIFICATIONS permission. This permission is likely to be limited to specific system apps.

We’re uncertain about the specific types of notifications Google considers “sensitive,” but indications point to notifications containing 2FA codes. During our examination of the Android 14 source code, we came across a new flag named OTP_REDACTION, designed to control “the redaction of OTP notifications on the lock screen.” While this flag is not currently active in Android 14, it seems likely that Google plans to introduce it with Android 15.

With the introduction of the OTP_REDACTION flag and the RECEIVE_SENSITIVE_NOTIFICATIONS permission, Android will have three methods to safeguard users against exposing their 2FA codes to unauthorized parties. The OTP_REDACTION flag hints at Android preventing users from exposing their 2FA codes on the lock screen, while the RECEIVE_SENSITIVE_NOTIFICATIONS permission indicates Android’s intention to prevent untrusted apps from accessing notifications containing 2FA codes. Additionally, an existing feature from Android 13 prohibits users from enabling an app’s notification listener service if it was downloaded from an untrusted source.


Please enter your comment!
Please enter your name here