Privacy and security are the primary things that every Android user asks for. And fortunately, Android 15 will bring dedicated features for enhancing the user’s security experience.
Usually, to add an extra layer of security, users should use a passcode or enable two-factor authentication (2FA). Whereas some forms of 2FA are more secure as compared to others, Now the reports are saying that Android 15 might be adding a new feature that prevents OTPs from being read by malicious Android applications.
As per the reports digging through the Android 14 QPR3 Beta 1 update, the addition of a new permission named RECEIVE_SENSITIVE_NOTIFICATIONS. This permission has a high protection level of role signature, which means that it can only be granted to applications along with the essential requirement role or to applications that the OEM signs.
However, the brand has not officially mentioned the exact role that grants the permission, and it is expected that Google doesn’t intend to open this permission up to third-party applications. The report says that this is an API that permits the application to read or take action on all notifications. Users need to manually grant application permission in Settings even before the NotificationListenerService API becomes available.
The reporters mentioned that they don’t know exactly what an “untrusted” app refers to, but it may be any application that does not hold the new RECEIVE_SENSITIVE_NOTIFICATIONS permission. It is expected that this permission would apply to select system apps. It is also not clear yet what kind of notification stands “sensitive” as per the prospect of Google, but there’s a reason to believe they are referring to notifications with 2FA codes.
As per the reports, while digging through the source code for Android 14, a new flag named OTP_REDACTION came to be known, which is used to gate “redaction of OTP notifications on the lock screen.” Also, Android will have three ways to protect users from leaking their 2FA codes to third parties. The OTP_REDACTION flag suggests that Android will stop users from leaking their 2FA codes on the lock screen, whereas the RECEIVE_SENSITIVE_NOTIFICATIONS permission suggests that Android will stop untrusted applications from reading notifications along with 2FA codes.
