Android 15 can cease malware from stealing your OTPs

Abstract

  • Android might improve safety by proscribing delicate notification entry to licensed apps, stopping OTP interception by third-party apps.
  • New “obtain delicate notifications” permission in Android 14 QPR3 Beta 1 could possibly be a step towards defending delicate data like OTPs.
  • Google’s potential transfer to dam untrusted apps from viewing OTP notifications reveals dedication to person safety and privateness.



One-time passwords (OTPs) over SMS have change into a standard safety possibility throughout nearly all main apps and companies. Whereas fundamental and fewer safe than utilizing a 2FA app, they’re in style due to their simplicity and ease of use. Plus, many web sites and companies do not help various two-factor authentication strategies. The issue is that on Android, once you give notification entry to an app, it could actually additionally intercept delicate OTPs, posing a major safety threat. This would possibly change in Android 15, with Google stopping untrusted apps from accessing such SMSes.


Android guru Mishaal Rahman, writing for Android Authority, reveals discovering a brand new RECEIVE_SENSITIVE_NOTIFICATIONS permission in Android 14 QPR3 Beta 1. With a “protectionLevel” of “function|signature,” solely chosen OEM signed or specified apps can view the notification.

Whereas not but clear, Rahman speculates that Google is unlikely to offer third-party apps entry to this permission. That is because of the permission being linked to a brand new in-development characteristic that will stop untrusted apps from accessing delicate notifications.

Google doesn’t explicitly point out texts with 2FA codes as delicate in any of the permissions. Nonetheless, Rahman highlights discovering an “OTP_REDACTION” flag in Android 14 for “the redaction of OTP notifications on the lock display.” This flag is just not lively in Android 14, however Google might allow it with Android 15 later this 12 months. All these modifications purportedly level to the corporate proscribing entry to OTP texts to chose licensed apps.


Google has made enormous strides in bettering the safety and privateness of Android customers in the previous couple of years. Stopping third-party apps from intercepting OTP texts could possibly be one other transfer in that route, particularly since Android malware are likely to abuse this methodology.

Proper now, any Android app with notification entry can intercept and browse texts containing a one-time password, posing a serious privateness threat. Nonetheless, this safety characteristic will doubtless stop third-party apps from routinely studying and filling in OTPs on a cost web page. It is a frequent habits in lots of apps, together with Amazon, in international locations the place an OTP is required for cost affirmation.

We might see Google speak about this new safety characteristic when it publicly declares Android 15 at Google I/O 2024 later this 12 months.

Leave a Reply

Your email address will not be published. Required fields are marked *