undefined | Better HN

0 pointsZak7mo ago0 comments

> Are they admitting that their app sandboxing is so weak that a malicious app can exfil data from other unaffiliated apps?

An app can read the content of notifications if the appropriate permissions are granted, which includes 2FA codes sent by SMS or email. That those are bad ways to provide 2FA codes is its own issue.

I want that permission to exist. I use KDE Connect to display notifications on my laptop, for example. Despite the name, it's not just for KDE or Linux - there are Windows and Mac versions too.

0 comments

4 comments · 2 top-level

godshatter7mo ago· 1 in thread

> An app can read the content of notifications if the appropriate permissions are granted, which includes 2FA codes sent by SMS or email.

Do apps generally do this? I've never run into one that doesn't expect me to type in the number sent via SMS or email, rather than grabbing it themselves.

I don't use a lot of apps on my android phone, though, so maybe this is a dumb question to those who do.

ZakOP7mo ago

Most apps don't read notifications for that purpose, and I'm not sure they'd be allowed in the Play Store if they wanted the permission just for that. It's mainly used for automation and sending notifications to other devices like PCs and maybe smartwatches.

klabb37mo ago· 1 in thread

Yes, but see my last paragraph. Reading notifications doesn’t apply to the majority of apps. It’s not a binary choice. On iOS, you need special entitlements for certain high level privileges. Isn’t it already the same on Android?

ZakOP7mo ago

It's similar. I think there's a difference in that special entitlements have to be approved by Apple. Read/manage notifications is under "special app access", which has a different prompt where the user has to pick the app from a list and flip a toggle to grant the permission rather than just tapping OK.

j / k navigate · click thread line to collapse