Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Codes arrive via SMS, which is available to all apps with the READ_SMS permission. This isn't an OS vuln. It is a property of the fact that SMS messages are delivered to a phone number and not an app.

On the Play store there is a bunch of annoying checking for apps that request READ_SMS to prevent this very thing. Off Play such defense is impossible.



If they restricted sideloaded apps from sniffing SMS then I wouldn't mind all that much.


I use an app[0] to do scheduled exports of my SMS (which I rsync to my IMAP server and import into my mailbox for a "single pane of glass" view of my communication). I certainly don't want to lose this functionality.

[0] https://github.com/tmo1/sms-ie


There are about a half dozen permissions that are regularly abused by malware. These permissions are also extremely useful for a ton of completely legitimate features.

I am pretty confident that if Google had enabled this policy only for apps which use these permissions that the community would still be upset.


So no access to SMS for apps distributed on F-Droid?


Fine by me, what are people using SMS for in 2026 except for spam and sending 2FA codes insecurely?

(I'm being facetious here but this is massively preferable to disabling sideloading altogether)


> sideloading

If you care about the topic, which you seemingly do, stop using this doubleplusgood term.


Only require Developer Registration for apps with READ_SMS then.


There are about a half dozen permissions that are regularly abused by malware. These permissions are also extremely useful for a ton of completely legitimate features.

I am pretty confident that if Google had enabled this policy only for apps which use these permissions that the community would still be upset.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: