Two-factor authentication (2FA) is a great way to protect your accounts from magpie eyes but not all 2FA mechanisms are the same. Some platforms still use a very basic form of 2FA that sends a code through mail or text.
As you might have guessed these are very easy to intercept but Google is apparently working on a way to prevent this in Android 15. According to a report from Android Authority, Google is adding a way to stop third-party apps from reading sensitive notifications.
A new permission string called ‘RECEIVE_SENSITIVE_NOTIFICATIONS’ was found in the latest Android 14 QPR3 Beta 1 and it has a protection level of ‘role|signature’ which means these notifications can only be read by authorized apps.
According to the report, this permission string is tied to another in-development feature that will block sensitive notifications from being read by untrusted apps. These apps use an API called ‘NotificationListenerService’ which lets them read all sensitive notifications.
Google is now limiting the use of this API with this new permission string. While there is no clarity on what constitutes ‘sensitive’ notifications, it could be related to 2FA codes.
The report also mentions a flag called ‘OTP-REDACTION’ which will hide notifications with 2FA codes in them from the lock screen.
