20

I have recently installed an Android app from the Play Store. While registering in it, I realized that it was able to read my message of OTP without even asking for my permission to read the message.

I have AOSP Extended 5.8 with the August security patch. It's an Android Oreo 8.1 based custom rom.

Firelord
  • 25,084
  • 20
  • 124
  • 286
ankk98
  • 303
  • 2
  • 6

1 Answers1

21

Verification by OTP uses a different API which doesn't need read SMS permission. You can read more here Perform SMS Verification on a Server

Hence, the app isn't reading your SMS but using a separate channel to read specially formatted text messages

I learnt of this when an Xposed module to block permissions did not work as I expected (similar case) and the developer explained the reason

beeshyams
  • 40,739
  • 30
  • 119
  • 269
  • How it is decided that which app can use api to read which text? There must be something that prevents X app to read text of Y app by using API's. – ankk98 Sep 15 '18 at 10:28
  • 1
    Also, if you read the linked API it talks about hash and coding which means only the authorized app can read – beeshyams Sep 15 '18 at 10:37