Is apps can read otp messages without giving read and write messages permission?

I wonder how an app or apps can read login otp without giving read and write permission of messages. How's that possible?

Is apps can read otp messages without giving read and write messages permission?

Naveen8555 Naveen8555
✭✭  / 

I wonder how an app or apps can read login otp without giving read and write permission of messages.

How's that possible?

Tagged:

Best Answers

  • Naveen8555 Naveen8555
    ✭✭  /  Accepted Answer

    Thanks for information ...

    I am just asking..

    But how's this API is safe when it comes for bank otp messages.

    What if an unknown malicious app can use this API to read the otps on the user side to steal the money from their banks.

    I understand that this API can be able to read messages with their unique hash codes but what if they manage to read all messages using that API.

Answers

  • singhnsk singhnsk
    Super User  / 

    Hi, it is not possible. The app needs to tell Google Play Services that an incoming SMS with this unique hash in the body is mine. When an SMS matches that condition, it is only then that Google Play services will allow the app to read the SMS.

    The hash is computed as a combination of app's package name and the public key certificate used to sign the app. That means the hash is unique to the app based on its package name. So, the app cannot pretend that it is a different app since no 2 apps with the same package name can be installed on your phone.

    Android will compute this hash code by combining the app's package name and certificate and it will match it to the value in the sms. And if it matches, the sms access is granted. So, all in all, the setup is quite strong. I don't think there are easy loopholes that a app can misuse.

    Moreover, this is done as part of the automated login verification via OTP. As for the banks, they don't send out any sms with that unique hash. They only send raw OTP SMSs with no bashes. And that means no app can access such SMS with an automated access unless you manually grant an an app with the permission to full SMS or a particular OTP SMS.

  • rbeze 58 rbeze 58
    ✭✭  / 

    [SUMMARY]

    Well it's basically safe as long as you are using apps from proper sources. There are exploits in the entire messaging framework which would require the whole android framework to be rebuilt from scratch to address this exploit. Given in details at the end. This won't be getting fixed anytime soon since the entire platform will need major changes to make it happen. And if it does happen, a lot of third party messaging apps would stop working and would be treated as a Privacy and Data Breach.

    What mentioned earlier is true but it is not mandatory for any app to only access their #key to retrieve only their otp. Android apps usually try to exercise the maximum amount of rights they can. So even if they can get something done with only SMS from a particular number yet they will choose to get all the SMS ever sent or received on that particular device. There is nothing stopping these apps from doing so it's basically just as long as the apps you install are the ones you trust, you're gonna be fine.

    If you're wary of someone misusing your otp. You should be more wary of People working at the Service Provider/Operator/Carrier side. Since they have more access to your messages, and calls(also voicemails depending on whether you use them or not) than you or any of the apps installed on your phone could ever have. Though there's little or no chance that those people will use this means for stealing money. It's rather unlikely. So don't ever send passwords via SMS. It's not end-end encrypted.

    [DETAILED OVERVIEW]

    Any otp sent (and all messages for that matter) to your phone can be easily accessed by any app which has the permission SMS_ACCESS. This basically allows the app to READ all the messages present in the Messages Storage which is responsible for storing all the SMS sent/received/saved as draft/waiting/etc. From the first message ever received on that phone to the last one sent.

    That being said the apps won't be able to send messages as long as SMS_APP permission isn't given or in simple terms, if it's not set as default messaging app.

    [CONCLUSION]

    It's not safe. So you must install apps that you trust and only use trusted sources like Play Store, APKMirror, APKPure, F-Droid, Amazon App Store, QooApp (if in South Korea, Japan, China), etc.

  • Naveen8555 Naveen8555
    ✭✭  / 

    Thanks for information 😊

  • singhnsk singhnsk
    Super User  / 

    @rbeze 58 Yes, you are right. But in here, we were talking of the OTPs being read if the SMS R/W permission was not granted.

    As about the overall misuse of permissions, it is usually wiser to not allow full SMS access to any app unless it is absolutely necessary. I believe it is why the SMS Retriever API was implemented in Play Services - to avoid the need of granting unrestricted SMS access to an app when all it needs is access to 1 text message - OTP. So, the situation has improved over time as long as users are careful.

Sign In or Register to comment.