Android 15 has new tricks to protect two-factor code

Your phone’s notification panel is a treasure trove of sensitive data, as it contains not only personal messages but also security codes sent by online services that have two-factor authentication enabled. As a result, many malicious apps attempt to trick users into allowing access to their notifications and steal two-factor authentication codes. Thankfully, the Android 15 update makes it harder for malicious apps to extract two-factor authentication codes from notifications.

Android has long provided an API called Notification Listener that allows third-party apps to access notifications. Because notifications may contain sensitive data, your app cannot use the notification listener API until you have permission. You must manually grant the app access to notifications through the Settings app. The only thing the app can do to help you with that process is open a settings page where you can grant access.

Once an app is granted access to your notifications, it can read, reply to, dismiss, or control all notifications on your phone, or a subset of the notifications you’ve given it access to. It doesn’t matter if that notification contains something highly sensitive like a two-factor authentication code. The Notification Listener API allows apps to read and extract notifications.

Android 15 changes that by designating notifications containing two-factor authentication codes as “sensitive,” allowing only “trusted” notification listener services to read them. An “untrusted” notification listener service that tries to read a notification that contains a two-factor authentication code will simply see the message “Sensitive notification content has been hidden.”

Here’s a short video that shows how this change affects notification listeners in Android 14 and Android 15. This video shows that apps that you grant notification access to on devices running Android 14 can read your notifications using two-factor authentication. code inside them. In contrast, the same app with the same permissions on a device running Android 15 cannot read notifications containing two-factor authentication codes.

Android System Intelligence (ASI) apps process all notifications internally before sending them to the notification listener service. When ASI detects that a notification contains a two-factor authentication code, it instructs the system to mark the notification as “sensitive” and block it from being sent to “untrusted” notification listener services. An “untrusted” notification listener service belongs to an app that doesn’t keep up with new notifications. RECEIVE_SENSITIVE_NOTIFICATIONS Permissions added by Google in Android 15.

This permission can only be granted to apps that are signed with a system certificate or that hold a specific role. Most of the roles assigned are RECEIVE_SENSITIVE_NOTIFICATIONS Permissions can only be held by system apps, but some can also be held by third-party apps. COMPANION_DEVICE_WATCH, COMPANION_DEVICE_GLASSESand HOME. These roles are given to the watch companion app, smart glasses companion app, and default launcher, respectively. This means that the only third-party apps that can read notifications containing two-factor authentication codes on Android 15 are apps that connect to your smartwatch, apps that connect to your smart glasses, or the default home screen launcher app.

Blocking third-party apps from reading notifications containing two-factor authentication codes would hopefully thwart some hacking attempts, but the free open-source app I used called SMS Code Some automation and convenience tools, such as “Copy”, will also stop working. To demonstrate these changes. There is a simple workaround to restore the previous behavior, but it is not recommended. This includes turning off “.Enhanced notifications” Bottom Settings > Notifications. This stops ASI from parsing notifications and marking notifications with two-factor authentication codes as “sensitive,” but also stops it from generating recommended actions or responses. Another workaround involves configuring and using ADB and manually granting permissions. RECEIVE_SENSITIVE_NOTIFICATIONS Obtain permission using the following command:

here, is the package name of the application to which you are granting permissions. However, you should only do this if you are a power user and have tools that will no longer function as a result of this change.

It’s great to see Android make small tweaks like this that improve security, but it would be nice if Google documented this change somewhere, especially since it affects how apps work. Sho. It would also be nice if Android could selectively block sensitive notifications from appearing on the lock screen, something Google was testing when I first reported on the change in February. That was it. Perhaps a future Android update will introduce that feature.