13

I've noticed quite a few apps requesting the RECEIVE_SMS permission. Two things are clear to me here:

  • RECEIVE_SMS enables an app to "snap" incoming SMS
  • READ_SMS just applies to SMS already stored

As some of the apps just were asking for RECEIVE_SMS, but not for READ_SMS, I got curious: this seems to imply RECEIVE_SMS is not only targeted at the receiving part, but the app can also do what it wants with the received message – e.g. read it, then throw it away silently (so the user doesn't even notice there was an SMS – which might be the way TAN Trojans act to snap identifiers for online banking transactions).

But would it also be possible for such an app to "intercept" the message, i.e. receive it, read it (and process its content in any way, e.g. forwarding it by other means such as via IP), and then pass it on as if nothing had happened? In other words: Can it spy on the user this way?

Izzy
  • 91,166
  • 73
  • 343
  • 943

2 Answers2

13

Yes, it can, but only on Android 4.3 and lower. This is used for example in Whatsapp. When you activate the app, Whatsapp sends an SMS to the number you reported, and the app intercepts it quietly and reports to the servers that it has received the SMS. This is how the account is tied to your number.

Of course, this can be used in harmful apps also. If an app registers as an SMS receiver with the highest priority, the app can listen for incoming SMSs, process them and either dismiss them without the user ever noticing, or forward to the next SMS listener with the second-highest priority.

This has been redone in Android 4.4, and if I understood correctly, only the default SMS app has access to all incoming SMS (SMS_DELIVER_ACTION), and the other apps with correct permissions will only receive a notification of the incoming message (SMS_RECEIVED_ACTION). In addition, the SMS_RECEIVED intent is non-abortable, it can't be stopped. I assume that in Android 4.4, this is done to allow the user to see all incoming SMS messages in the default app.

Edit: Found some more useful info on the Android Developers Blog. I'd test this further, but my only Android phone is currently WiFi-only, so no SMS :/

aleksikallio
  • 16,250
  • 5
  • 48
  • 73
  • Thanks a lot for the insights, onik! Didn't know about those KitKat-changes. With those in place, did I understand correctly that e.g. WhatsApp would now need the READ_SMS permission as well to access its "activation code" – or do apps with the RECEIVE_SMS permission "receive a copy" now (except for the default SMS app, which would "receive the original")? – Izzy Jun 09 '14 at 13:09
  • @Izzy I have a question about this too. Would the user now see these control texts directly in their default app now? Or would it be an option to be able to see "consumed" texts, but not actually show up in your regular text app? – Cruncher Jun 09 '14 at 19:32
  • @Cruncher I was the one asking the question, so I'd say your question is better directed at onik or daamit who answered it. If an app presents an option is up to the dev, I'd say. It's unlikely to be "mandatory". – Izzy Jun 09 '14 at 20:33
  • 1
    @Izzy If I understood correctly, the apps which are not set as the default SMS app can access a read-only provider, meaning they don't need READ_SMS permission, but they are unable to edit the SMS (mark as read, delete etc.). – aleksikallio Jun 10 '14 at 09:17
  • 1
    @Cruncher The messages should show up in your default SMS app, since only that app can write to the SMSProvider in order to delete the messages. – aleksikallio Jun 10 '14 at 09:18
  • Thanks for the update, @onik! Useful insights behind that link (and interesting side-effects when it comes to multiple SMS apps or backup/restore ;) I'm accepting your answer now – but continue looking forward to your promised updates ;) – Izzy Jun 10 '14 at 09:33
  • @Izzy It was directed at onik. I pinged you because I figured you'd be interested too, and onik was getting a notification anyway. – Cruncher Jun 10 '14 at 12:44
  • 1
    "Yes it can". But only on Android 4.3 and lower. Since 4.4 SMS_RECEIVED is a non abortable Intent. Please add that important fact. See also http://stackoverflow.com/questions/20021492/enabling-sms-support-in-hangouts-2-0-breaks-the-broadcastreceiver-of-sms-receive – Flow Jun 14 '14 at 23:16
10

As things stand

  1. Android 4.3 and below without Hangouts app : Any app with SMS_RECEIVE permission can read/abort an incoming SMS (ala Whatsapp)
  2. Android 4.3 and below with Hangouts (SMS mode turned on) : Any app with SMS_RECEIVE permission can read but not abort an incoming SMS
  3. Android 4.4 and above : Any app with SMS_RECEIVE permission can read but not abort an incoming SMS

In all three cases, READ_SMS will give the app permission to read all the SMSs not just new incoming SMSs.

As onik mentioned things have change quite a bit in Android 4.4

daamitt
  • 101
  • 2
  • 1
    Thanks for pointing out Hangouts might make a difference for Android < 4.4! Guess that corresponds to what onik pointed to with an app registers as an SMS receiver with the highest priority, and Hangouts is doing exactly that (so no other app can top it)? – Izzy Jun 09 '14 at 14:07