Enhanced Security: Report Suggests Android 15 to Bolster Two-Factor Authentication

Google’s ongoing development of Android 15 has garnered attention, particularly with the release of the first Developer Preview on Friday, February 16. Emphasizing a pivotal focus on security, the tech giant aims to fortify user data protection within the upcoming operating system. A recent report sheds light on three significant security enhancements poised to safeguard sensitive information on smartphones.

One notable enhancement highlighted in the report, authored by Android Authority’s Mishaal Rahman, pertains to the safeguarding of notifications generated by two-factor authentication (2FA) processes. Currently, the reliance on SMS for transmitting one-time passwords (OTPs) in various authentication scenarios poses inherent risks, particularly if intercepted by malicious third-party apps. Android 15 seeks to address this vulnerability by implementing stringent measures to prevent unauthorized access to sensitive notifications.

Key among these measures is the introduction of a new permission termed RECEIVE_SENSITIVE_NOTIFICATIONS, identified within the code of the Android 14 QPR3 Beta 1 update. This permission, characterized by a higher protection level, is exclusively granted to apps verified by Google. While the precise functionality of this permission remains undisclosed, its nomenclature suggests a specialized role in safeguarding a specific category of notifications from third-party access, bolstering overall data security on the Android platform.

The report highlights that it is likely aimed at 2FA-related notifications. The belief comes from a separate string of code found by Rahman, which points to an under-development platform feature, to which the permission is tied. The feature is named NotificationListenerService and it is an API that lets apps read or take action on notifications. A general use case would be how many apps ask for access to notifications to auto-fill OTP when creating a new account. However, once this API becomes active (it isn’t in the Android 14 build), this will get more difficult.

This API will require the user to enter Settings and then manually grant permission to apps before they can be turned active, the report highlights. Such stringent measures are likely for two-factor authentication. However, even in the second case, it cannot be said for sure.

Rahman found a third hint that likely ties all the developments together. A new flag was seen in the codes labelled OTP_REDACTION. It redacts OTP notifications on the lock screen of the smartphone. Google currently does not use this flag, but the report suggests it can be made active with Android 15. All three separate developments point towards protecting OTP notifications from third-party apps, which makes it likely that the tech giant will use these to protect financial and other important apps that may contain sensitive information.