Dear all, I was just wondering why android allows app to access the SMS inbox (read sms api) when no other mobile OS allows this due to security compromise issue.
*Threat Example :* Now a days there are lot of payment app available in the market. Now while making payment through those app ( This process is true for online PC based transaction also) 1. User has to give his user name and password. 2. Then for security measure (Two channel authentication) one "one time password" (OTP) is sent to user's mobile. 3. User has to enter this password in the screen to complete the transaction. Since in android SMS read access is present, app itself can read the OTP & can complete the transaction. This is a huge security threat according to me because if the app is not intended for good purposem it may make harm to the user. Once user makes 1st transaction, app will have his user name and password. After that any time the app can make the transaction even without any knowledge of the owner. So two channel authentication is being void in this case. Need attention from all android lover seeks immediate fix for this for sake of security. Thanks -- You received this message because you are subscribed to the Google Groups "Android Security Discussions" group. To unsubscribe from this group and stop receiving emails from it, send an email to android-security-discuss+unsubscr...@googlegroups.com. To post to this group, send email to android-security-discuss@googlegroups.com. Visit this group at http://groups.google.com/group/android-security-discuss. For more options, visit https://groups.google.com/d/optout.
