Android 15 has a brand new trick to guard your two-factor codes

Your telephone’s notifications panel is a treasure trove of delicate information, because it contains not simply private messages but additionally safety codes despatched from on-line providers you’ve enabled two-factor authentication for. That’s why many malicious apps attempt to trick you into granting them notification entry to allow them to steal these two-factor authentication codes. Fortunately, the Android 15 replace makes it more durable for malicious apps to extract two-factor authentication codes from notifications.

Android has lengthy supplied an API known as Notification Listener that lets third-party apps entry your notifications. Since notifications can include delicate information, apps can’t use the Notification Listener API except they get your permission. You must manually grant the app entry to your notifications by the Settings app, and the one factor apps can do to help with that course of is to open the Settings web page the place you’ll be able to grant entry.

As soon as an app has been granted notification entry, it may learn, reply to, dismiss, or management both your whole telephone’s notifications or the subset of notifications that you simply gave it entry to. It doesn’t matter if that notification contains one thing actually delicate like a two-factor authentication code — with the Notification Listener API, apps can learn them and thus extract them.

Android 15 adjustments issues by designating notifications with two-factor authentication codes as “delicate” and solely permitting “trusted” Notification Listener providers to learn them. Any “untrusted” Notification Listener service that tries to learn notifications with two-factor authentication codes will merely be given a message stating, “delicate notification content material hidden.”

Right here’s a brief video demonstrating how this variation impacts Notification Listeners on Android 14 versus Android 15. On this video, you’ll be able to see that an app that I’ve granted notification entry to on a tool operating Android 14 can learn notifications with two-factor authentication codes in them. In distinction, the identical app with the identical permission on a tool operating Android 15 can not learn notifications with two-factor authentication codes in them.

Beneath the hood, the Android System Intelligence (ASI) app processes all notifications earlier than they’re despatched to Notification Listener providers. If ASI detects {that a} notification has a two-factor authentication code in it, it’ll inform the system to mark it “delicate” and block it from being despatched to “untrusted” Notification Listener providers. “Untrusted” Notification Listener providers belong to apps that don’t maintain the brand new RECEIVE_SENSITIVE_NOTIFICATIONS permission that Google has added in Android 15.

This permission can solely be granted to apps signed with the system certificates or to apps that maintain sure roles. Many of the roles which might be granted the RECEIVE_SENSITIVE_NOTIFICATIONS permission can solely be held by system apps, however there are some that may be held by third-party apps, too, like COMPANION_DEVICE_WATCH, COMPANION_DEVICE_GLASSES, and HOME. Respectively, these roles are given to look at companion apps, good glasses companion apps, and the default launcher. In different phrases, the one third-party apps that may learn notifications with two-factor authentication codes in them on Android 15 are apps that hook up with your smartwatch, apps that hook up with your good glasses, or your default house display screen launcher app.

Blocking third-party apps from studying notifications with two-factor authentication codes in them will hopefully cease some hacking makes an attempt, however it’ll additionally break some automation and comfort instruments corresponding to “Copy SMS Code,” the free and open supply app I used to reveal these adjustments. There’s a simple workaround to revive the previous habits, however it’s not one thing I like to recommend. It includes turning off “Enhanced notifications” underneath Settings > Notifications. This stops ASI from parsing notifications and marking ones with two-factor authentication codes as “delicate,” however it additionally stops it from producing prompt actions or replies. One other workaround requires establishing and utilizing ADB to manually grant the RECEIVE_SENSITIVE_NOTIFICATIONS permission utilizing the next command:

Right here, is the package deal title for the appliance you need to grant the permission to. It’s best to solely do that for those who’re an influence person and there’s some instrument this variation in any other case breaks, although.

It’s nice to see Android make tiny tweaks like this that enhance safety, however it will be good if Google documented this variation someplace, particularly as a result of it impacts app habits. It will even be good if Android selectively blocked delicate notifications from showing on the lock display screen, which is one thing Google was testing after I first reported on this variation again in February — perhaps that one will arrive in a future Android replace.