How does an app (e.g. Whatsapp) automatically detect when the phone receives a 2FA SMS verification code without being granted SMS read permissions?

Asked Aug 23 '19 at 13:20

Active Aug 23 '19 at 13:20

Viewed 198 times

When installing some apps (for example Whatsapp) the user is required to receive a verification code on the phone via SMS.

I have noticed that some apps automatically verify this code as soon as the text message is received by the phone, without the user having to open the SMS message or type the code manually. The app does this without being granted any permissions by the user to access or read their calls and texts.

How is this possible, and is it a privacy or security concern?

asked Aug 23 '19 at 13:20

WackGet

Whatsapp requests the permission <uses-permission android:name="android.permission.RECEIVE_SMS"/> in it's manifest. Therefore it is no magic that it can read the 2FA SMS code. – Robert Aug 23 '19 at 13:59
1

Google Play services do that on behalf of WhatsApp, like many other things like doing analytics and receiving Push Notifications. Deny SMS permission to GMS/GSF and SMS verification won't work. – Irfan Latif Aug 23 '19 at 18:47

How does an app (e.g. Whatsapp) automatically detect when the phone receives a 2FA SMS verification code without being granted SMS read permissions?

0 Answers0