GmsCore icon indicating copy to clipboard operation
GmsCore copied to clipboard
verified publisher icon microg

SMS Retriever API and POLA (Principle Of Least Astonishment)

Open Lanchon opened this issue 11 months ago • 5 comments

hi,

@mar-v-in you are my hero, thanks for your work!

i've been a user of microg for quite a while. it works so well that it has been mostly out of sight and out of mind. but the downside to that is that i haven't been following the project closely.,,

i had to register today with a crappy app that required SMS verification, and suddenly i was horribly shocked: the crappy app got the content of an SMS directed to me without my permission!!

i got online a did a brief research, found out about the SMS Retriever API, and its microG implementation.

so it worked as intended. but maybe i wanted to register the app in a different phone from the one that had the sim card or in an emulator, and maybe the sim card phone also had the app installed (though not logged in), and what would have happened then.

because microg is privacy focused, i think it violated POLA, and it got me deep into a rabbit hole of ever bloating play services.

i immediately ran into microG permission settings and stripped SMS from them, hoping this offense would never repeat.

would you maybe consider taking the surprise element out of this feature?

  • the laziest way by far would be to add text to the SMS permission in "self-check". something like: "This permission enables applications that do not have the SMS permission to automatically verify your phone number via a specially crafted incoming SMS." (had this text been there, i would have never granted this permission in the first place.)
  • next level would be a new toggle in "play store services" (which i would suggest should be off by default).
  • finally, since microg already prompts the user under some conditions (eg, before app auth request to google), maybe it would not be too much work to prompt the user before a hash-marked SMS is forwarded to an app: "Allow application 'Bright Sparkling Trojan' to access the the following received SMS? blahblah". (but of course this last option might be too much work.)

again, thank you for your vital work.

Lanchon avatar May 11 '25 08:05 Lanchon

To explain the details here: There is two features that use the SMS in microG/Play Services, that are described here: https://developers.google.com/identity/sms-retriever/choose-an-api Essentially, if SMS include a special token that is only meant to be used by the author of the app, they will be forwarded to the respective app without user consent, any other SMS needs user consent. So it's not possible to leak any confidential information here (the app is both the sender and recipient of the SMS content). The only information the app can gather through this is to know that you actually possess the phone number in question - which is what it would learn as soon as you type in the code retrieved.

I understand though that this might be confusing and give the impression the app can read your SMS. We can review in how far we can add a user consent in the process (might be non-trivial if apps don't expect it).

mar-v-in avatar May 11 '25 08:05 mar-v-in

@Lanchon You should note that some apps doesn't allow manual code insertion so without this they will never work; in addition the SMS permission is hard restricted, so it will never be easy for an app to just ask the user and then grant it.

The simplest thing may be to just add an option to microG settings that can be enabled/disabled even if the SMS permission is granted.

ale5000-git avatar May 11 '25 10:05 ale5000-git

@mar-v-in

thanks for getting back!

i had already read about the two mechanisms and i was not confused about the workings of the SMS Retriever API.

So it's not possible to leak any confidential information here (the app is both the sender and recipient of the SMS content).

for me there is. as i said in the OP, maybe i am activating the app in a different device (another phone or emulator) than the device that actually holds the simcard i am using, or in the work profile? and i might have the app already in the device with the simcard, and what would happen then? maybe i alternate between using official and hacked versions of the app, on different devices or profiles, and i want to choose which one gets the SMS. or maybe i just don't want the app to verify that i am using a particular simcard whenever it wants, and i just want to be in the loop.

so there is some confidential info being leaked: whether i am using a particular simcard at any given time a 3rd party chooses to check, which is something i dislike and the reason i disabled microg's SMS permission.

in any case, i am not saying "the behavior must be changed", that is up to you. what i am saying is that the behavior should at least be disclosed when the microg requests the SMS permission:

something like: "This permission enables applications that do not have the SMS permission to automatically verify your phone number via a specially crafted incoming SMS."

had it been, the surprise wouldn't have catapulted me into a researching spree that cost time and stress.

@ale5000-git

some apps doesn't allow manual code insertion so without this they will never work

i know that. i wasn't even going to suggest this, but since you brought it up:

maybe the app does not want to let me activate it in a different device than that which has the simcard installed, but they are overstepping their limits. they should only be concerned with me controlling that SMS number, and nothing else. whether i want to install the app in my main phone or in a tablet i will keep locked in a safe somewhere is my decision entirely.

so my position is that microg should absolutely allow spoofing an SMS receipt via the SMS Retriever API.

of course not everybody will agree, and most importantly, there is limited bandwidth on this project that should be administered wisely (and very likely SMS spoofing is not a priority, which is why i didn't mention it earlier).

thank you both!

Lanchon avatar May 12 '25 01:05 Lanchon

Just for clarification:

  • Not all SMS are forwarded to the app just because it has the token in them: The app first needs to start a time-constrained retrieving session. So in case you have two devices, where device A has the SIM card and you want to activate the app in device B, the app on device A will not have an active retrieving session just because you start the activation on device B. So the SMS will not be delivered to the app on device A and you can still use it to activate device B. Only if you try to activate both devices at the same time, it will not be possible to select which device is completing the verification, but it will always be on device A.
  • SMS will still be delivered as regular SMS, so apps can't silently verify you're still using a specific SIM card on a device.

Anyway, as I already said, I agree it would be good to:

  • Add an option to disable SMS Retriever API in microG settings
  • Ask user for consent if apps want to use the SMS Retriever API. We already ask the use to grant SMS permission to microG whenever an app wants to use SMS Retriever API and microG doesn't have the permission, so this shouldn't be hard to accomplish.

mar-v-in avatar May 12 '25 06:05 mar-v-in

Just chiming in to say that I also would very much like to have an ability to disable this functionality if possible.

I'm not specifically aware of any apps that use this in my region (USA) but I know it's very commonly used in India, for example.

Sapiosenses avatar May 13 '25 16:05 Sapiosenses