Android O could make SMS authentication easier with a new API allowing for a more streamlined process. The new API was discovered by a poster in XDA-developers. This new API streamlines the entire process by automatically authenticating an application or a service once a verification code is received via an SMS message. The entire process is performed without the user manually entering the code or granting the application access to read SMS messages. The latter could be especially risky, since granting an app the permission to read SMS messages gives it access to the entire SMS history. In order to streamline the process of making accounts more secure, Android has a new API that will eliminate certain steps in the SMS authentication process.
The entire process will start when an app creates a PedgingIntent, which allows an application to perform a certain action as if it is the device operator. This PedgingIntent will carry the string createAppSpecificSmsToken, which specifically instructs the device that an application is expecting an SMS message of a specific format. Once Android detects that an SMS message of the desired format and content is received, the operating system will send the verification code contained in the SMS message directly to the application without the app having to look into the SMS messages of the device. Meanwhile, the message containing the authentication code will no longer appear in the device inbox.
Sending verification codes through SMS messages is still one popular method of two-factor authentication. This method is still in use in different parts of the world by banks, online services, and many others. However, using SMS messages may not be as secure as using other methods of authentication like Google Authenticator. This is especially true given the recent reports of hackers taking advantages of the security flaws of the SS7 signaling protocol to route SMS messages of certain numbers, allowing hackers to read messages that may contain the authentication codes. Nonetheless, SMS authentications are still more secure than not having one at all, and this new API will make it easier for everybody to secure their accounts.