Android 15 could have a big emphasis on security from the looks of things. Not only has Google added a bunch of security-conscious tools to the first Android 15 developer preview. Now it looks as though Google may also be adding better protection for two-factor authentication codes as well.
According to well known Android sleuth Mishaal Rahman, over at Android Authority, the Android 14 QPR3 beta 1 contains a new permission called RECEIVE_SENSITIVE_NOTIFICATIONS. Apparently this permission has a role|signature protection level which means it can only be granted to apps with either the requisite role or that have been signed by an OEM.
Rahman believes that this permission is probably only meant for Google apps, rather than third parties, and seems to be a way to stop untrusted apps from seeing sensitive notifications. That includes one time passcodes (OTP) and other two-factor authentication codes that you may be sent.
This appears to be backed up by two new additions. The first is an API called NotificationListenerService that should allow apps to read or take action on all your notifications — but only if they’ve been granted that permission in the settings.
There’s also a brand new flag called OTP_REDACTION that prevents codes from appearing on the lock screen. So in both cases it looks like Android will be protecting your 2FA codes from untrustworthy apps that may be snooping through your notifications, and prying eyes that might see codes on your lockscreen.
Since these flags haven’t been implemented in Android just yet, Android 15 is the most likely place for Google to activate these additional flags and permissions. Which could be a major hidden benefit of the software.
Two-factor authentication is an incredibly important way of helping keep your accounts secure. Because even if someone manages to guess your login details, the odds of them also having that secondary verification code are incredibly slim.
That said, 2FA isn’t perfect and there are security flaws that a savvy hacker could try to exploit — especially if codes are sent via SMS, which is notorious for being unencrypted and totally insecure.
Whether those messages are intercepted en route, seen over your shoulder, or spied on by a malicious app, once a hacker has that code they’ve essentially got free reign of the account in question. So anything Google can do to improve the security of those codes when they arrive is more than welcome.
It won’t make the process completely foolproof, which is why you should avoid SMS and notification-based 2FA wherever possible. Your security is going to be much better if you use codes from an authenticator app, or utilize a physical security key.
We don’t know exactly when Android 15 will launch to the public, but according to Google, the first beta version should be arriving in the Spring. Until then be sure to keep tabs on our official Android 15 hub for all the latest news and rumors.
