One of the best security practices is to use a strong password whenever possible and enable two-factor authentication (2FA).
Although some forms of 2FA are more secure than others, certain platforms only support basic methods, such as sending one-time passwords (OTPs) via email or SMS. These methods are convenient because they do not require additional configuration, but they are also less secure because they are more vulnerable to interception.
The Android 14 QPR3 Beta 1 update identified the inclusion of a new permission called RECEIVE_SENSITIVE_NOTIFICATIONS.
This authorization has the protection level Role|Signature, This means that it can only be granted to applications with the required role or applications signed by the OEM. Although the exact role that grants this permission has not yet been defined, it is likely that Google does not intend to open this permission to third-party applications.
With this new functionality we attempt to hide sensitive notifications from untrusted applications that implement a NotificationListenerService. This service allows applications to read or take action on all notifications, requiring users to manually grant permissions in Settings before the NotificationListenerService API is available.
Given the power of this permission, it’s no surprise that Google is looking to limit the type of data apps can access. While we don’t know exactly what constitutes an “untrusted” app, it’s likely that this designation applies to those that don’t have the new RECEIVE_SENSITIVE_NOTIFICATIONS permission. This permission probably only applies to certain system apps.
The type of reports considered “sensitive” is also not fully defined, However, there are signs that these are notifications that contain 2FA codes. Everything indicates that Android will use 2FA codes to prevent untrusted applications from reading notifications.