Android 15 has a new trick to protect your two-factor codes

Your cellphone’s notifications panel is a treasure trove of delicate knowledge, because it contains not simply private messages but in addition safety codes despatched from on-line companies you’ve enabled two-factor authentication for. That’s why many malicious apps attempt to trick you into granting them notification entry to allow them to steal these two-factor authentication codes. Fortunately, the Android 15 replace makes it tougher for malicious apps to extract two-factor authentication codes from notifications.

Android has lengthy provided an API referred to as Notification Listener that lets third-party apps entry your notifications. Since notifications can comprise delicate knowledge, apps can’t use the Notification Listener API until they get your permission. You must manually grant the app entry to your notifications via the Settings app, and the one factor apps can do to help with that course of is to open the Settings web page the place you possibly can grant entry.

As soon as an app has been granted notification entry, it might learn, reply to, dismiss, or management both your whole cellphone’s notifications or the subset of notifications that you simply gave it entry to. It doesn’t matter if that notification contains one thing actually delicate like a two-factor authentication code — with the Notification Listener API, apps can learn them and thus extract them.

Android 15 modifications issues by designating notifications with two-factor authentication codes as “delicate” and solely permitting “trusted” Notification Listener companies to learn them. Any “untrusted” Notification Listener service that tries to learn notifications with two-factor authentication codes will merely be given a message stating, “delicate notification content material hidden.”

Right here’s a brief video demonstrating how this variation impacts Notification Listeners on Android 14 versus Android 15. On this video, you possibly can see that an app that I’ve granted notification entry to on a tool operating Android 14 can learn notifications with two-factor authentication codes in them. In distinction, the identical app with the identical permission on a tool operating Android 15 can’t learn notifications with two-factor authentication codes in them.

Beneath the hood, the Android System Intelligence (ASI) app processes all notifications earlier than they’re despatched to Notification Listener companies. If ASI detects {that a} notification has a two-factor authentication code in it, it’ll inform the system to mark it “delicate” and block it from being despatched to “untrusted” Notification Listener companies. “Untrusted” Notification Listener companies belong to apps that don’t maintain the brand new RECEIVE_SENSITIVE_NOTIFICATIONS permission that Google has added in Android 15.

This permission can solely be granted to apps signed with the system certificates or to apps that maintain sure roles. A lot of the roles which are granted the RECEIVE_SENSITIVE_NOTIFICATIONS permission can solely be held by system apps, however there are some that may be held by third-party apps, too, like COMPANION_DEVICE_WATCH, COMPANION_DEVICE_GLASSES, and HOME. Respectively, these roles are given to observe companion apps, good glasses companion apps, and the default launcher. In different phrases, the one third-party apps that may learn notifications with two-factor authentication codes in them on Android 15 are apps that connect with your smartwatch, apps that connect with your good glasses, or your default house display launcher app.

Blocking third-party apps from studying notifications with two-factor authentication codes in them will hopefully cease some hacking makes an attempt, but it surely’ll additionally break some automation and comfort instruments corresponding to “Copy SMS Code,” the free and open supply app I used to reveal these modifications. There may be a straightforward workaround to revive the outdated habits, but it surely’s not one thing I like to recommend. It entails turning off “Enhanced notifications” below Settings > Notifications. This stops ASI from parsing notifications and marking ones with two-factor authentication codes as “delicate,” but it surely additionally stops it from producing advised actions or replies. One other workaround requires establishing and utilizing ADB to manually grant the RECEIVE_SENSITIVE_NOTIFICATIONS permission utilizing the next command:

Right here, is the package deal identify for the appliance you wish to grant the permission to. You must solely do that in case you’re an influence person and there’s some software this variation in any other case breaks, although.

It’s nice to see Android make tiny tweaks like this that enhance safety, however it might be good if Google documented this variation someplace, particularly as a result of it impacts app habits. It will even be good if Android selectively blocked delicate notifications from showing on the lock display, which is one thing Google was testing once I first reported on this variation again in February — perhaps that one will arrive in a future Android replace.