Android 15 may shield your sensitive login codes

One common form of 2FA sends a one-time password (OTP) code to you via text or email. While easy to use, these methods carry an inherent risk – the text or email containing the code could be intercepted by a malicious party. However, as found by Android expert Mishaal Rahman (via Android Authority), a recent deep dive of the Android 14 QPR3 Beta 1 code, shows evidence of a new security feature in development that aims to protect your sensitive login codes.

How is Google planning to protect your login codes?

Google appears to be adding a new permission called "RECEIVE_SENSITIVE_NOTIFICATIONS". This would likely be very restricted, making it available only to certain system apps on your phone. The feature likely would work in tandem with Android's "NotificationListenerService" API, the system that lets apps read and interact with your notifications. This API isn't automatically active and you generally need to activate it manually in your settings.

Code snippets also indicate that Android 15 could have a feature called "OTP_REDACTION", which may hide 2FA codes directly on your lock screen. Android's NotificationListenerService can be very powerful, making it a potentially valuable tool for malicious apps to gain access to sensitive data.

This new feature aims to block untrusted apps from reading notifications that contain sensitive data, like your OTP codes for logging into social media, banking, etc. Essentially, Android could give you more control over what information different apps can and can't see.

These additions, when put together, indicate that Google is working to improve security significantly. One could arrive at the conclusion, based on these new findings, that the intended functionality is to hide these login codes from prying eyes — or prying apps if you will — so that only those that are trusted can gain access to them.