- Google may be cracking down on a known Android security attack method in Android 15.
- Malicious apps that can read your notifications can intercept one-time passwords (OTPs) and hijack your accounts, and Google wants to prevent this.
- Code within Android 15 suggests Google might stop untrusted apps from reading notifications with OTPs.
It’s essential to protect your online accounts so they don’t fall into the hands of hackers, which is why you should use a passkey or enable two-factor authentication (2FA) whenever possible. While some forms of 2FA are more secure than others, some platforms only support the most basic methods, wherein your one-time passwords (OTPs) are sent via email or text. These methods are convenient since they don’t require additional setup, but they are also less secure since they’re easier to intercept. Fortunately, Android 15 might be adding a new feature that prevents your OTPs from being read by malicious Android apps.
While digging through the Android 14 QPR3 Beta 1 update, I discovered the addition of a new permission named RECEIVE_SENSITIVE_NOTIFICATIONS. This permission has a protectionLevel of role|signature, which means it can only be granted to applications with the requisite role or to applications that the OEM signs. While the exact role that grants this permission hasn’t been defined yet, it’s likely that Google doesn’t intend to open this permission up to third-party apps.