top | item 47142346

(no title)

Codes arrive via SMS, which is available to all apps with the READ_SMS permission. This isn't an OS vuln. It is a property of the fact that SMS messages are delivered to a phone number and not an app.

On the Play store there is a bunch of annoying checking for apps that request READ_SMS to prevent this very thing. Off Play such defense is impossible.

discuss

Retr0id|5 days ago

If they restricted sideloaded apps from sniffing SMS then I wouldn't mind all that much.

EvanAnderson|4 days ago

I use an app[0] to do scheduled exports of my SMS (which I rsync to my IMAP server and import into my mailbox for a "single pane of glass" view of my communication). I certainly don't want to lose this functionality.

[0] https://github.com/tmo1/sms-ie

UncleMeat|5 days ago

There are about a half dozen permissions that are regularly abused by malware. These permissions are also extremely useful for a ton of completely legitimate features.

I am pretty confident that if Google had enabled this policy only for apps which use these permissions that the community would still be upset.

warkdarrior|5 days ago

So no access to SMS for apps distributed on F-Droid?

jhasse|5 days ago

Only require Developer Registration for apps with READ_SMS then.

UncleMeat|5 days ago

There are about a half dozen permissions that are regularly abused by malware. These permissions are also extremely useful for a ton of completely legitimate features.

I am pretty confident that if Google had enabled this policy only for apps which use these permissions that the community would still be upset.