Authy brings the future of strong authentication to the convenience of your Android device.The Authy app generates secure 2 step verification tokens on your device.Attack Scenario: In today’s high tech era, it is not difficult to know someone’s (friend, colleague, manager, relative etc.) Gmail Id, mobile number; and match if the mobile number is mapped with Google account.An attacker on knowing the Gmail Id, phone number of a victim user and having access/reachability/visibility to the victim user’s mobile device (even in Security Locked Mode) can initiate a request for verification code to be sent on the mobile number and can read the code popping up in the notification pane.So the root cause being the SMS content displayed in the notification pane of locked android mobile and the real concern becomes, is it really necessary to display the SMS contents as notification?Attacker on reading the verification code can reset the password of the victim account by entering the verification code and the new desired password.As Discussed earlier below are the screen lock options on an android phone (from 3-5).If user selects to configure any one from option 3-5, he/she needs to feed-in the same for accessing the device and information; Now, consider the phone screen is locked with desired option and mobile phone receives the verification code.
In this case, the user selects to receive a text message with a verification code on her pre-configured mobile number.
Google being one of the top web based service provider, has huge number of Internet users availing the free and paid services for their day-to-day personal and/or professional needs.
Many of them have configured their mobile phone number for their account password recovery options.
However, the issue described here, does not need you to punch-in any type of security code or pattern to read the arrived SMS content and thus facilitate in compromising the Google account configured to use the said mobile phone.
The issue has been identified/reported by the at Varutra Consulting. Android phones/tablets SMS functioning: In case of forgotten password, User needs to go to “can't access your account?