Android 15 set to add extra protection to OTP notifications

The bright display on the Google Pixel 8 Pro
(Image credit: Nicholas Sutrich / Android Central)

What you need to know

  • Android 15 may enhance privacy and security by preventing OTP interception by third-party apps.
  • Code found within Android 14 QPR Beta 1 contains a “receive sensitive notifications” permission, which would block many apps from reading those messages.
  • Stopping malicious apps from accessing these messages would help to prevent accounts from being hijacked.

With the increased threat of having accounts hacked, two-factor authentication (2FA) plays a valuable role in making it harder for others to steal your information or access your accounts. One form of 2FA is one-time passwords (OTPs), which send a verification code to you via email or text. 

While OTP is beneficial in that it is quicker and easier than using an authenticator app, it’s also the least secure of the 2FA methods available. This is because many apps request access to your notifications, allowing them to potentially intercept any of those sensitive OTP messages you’re receiving. Google may be set to address this security risk in Android 15, according to a report in Android Authority.  

Android expert Mishaal Rahman discovered a new permission in the Android 14 QPR Beta 1 update named “RECEIVE_SENSITIVE_NOTIFICATIONS”. Rahman notes that this permission has what’s called a “protection level of role|signature” – in other words, only selected OEM-signed or specified apps can access those notifications.

Rahman goes on to speculate that third-party apps will be denied access to this permission, which will potentially be limited to select system apps. The permission itself is tied to a new platform feature currently in development, designed to prevent untrusted apps from accessing sensitive notifications. Specifically, this could apply to those apps that implement a notification listening service that allows apps to read or take action on all notifications.

Android 15

(Image credit: Android Developers Blog)

At this stage, Google has not confirmed whether OTP and 2FA codes are exactly what is being referred to in this beta code. But Rahman has also spotted an “OTP_REDACTION” flag in the Android 14 source code, which would redact OTP notifications on the lock screen. Rahman notes that this flag isn’t being used in Android 14, and so logically, expects this to be implemented in Android 15.

As we highlighted above, apps with notification access are currently able to intercept any OTP messages a user receives, presenting an obvious security risk if a user has any malicious apps on their phone. This new feature, if implemented, could represent a major step forward in reducing this type of security threat.

The first Android 15 developer preview dropped just a few days ago, with privacy and security features highlighted as major areas of focus by Google. Android 15 is expected to be publicly unveiled later this year at Google I/O 2024. 

Steven Shaw

Steven Shaw is a full-time freelancer, but before he changed his career at the start of 2021, he was in the retail industry, leading teams to achieve goals in selling technology products, such as smartphones, tablets, and more. Graduating from the University of Cambridge with a Masters in Medieval History, he's always had a passion for the topic, alongside technology and many Simpsons quotes.