Flash SMS should not be readable when phone is locked [answered]
When a OTP message is sent to the phone it is displayed directly on (or perhaps above) the lock screen. This is obviously a security issue as OTP messages are used for identification/verification. If the message can be seen without unlocking the device someone could easily login to your webmail/company network/internet bank/whatever by just knowing their login user and manage to "borrow" your (locked) phone for a few minutes.
EDIT: (disclaimer) I must admit that I'm not entirely certain on this, as I don't know the technology behind it, or even if there is an OTP (One Time Password) standard for text messages, but I have one account which uses OTP for login, and these messages do not appear in the normal message app, but is displayed directly above everything else (including the lock screen). These messages are not saved, and there are no sender, but you have the option to copy the content to clipboard or just remove the message (so at least the developers have done something to handle these special messages).
It could be that these messages are not meant to be used for OTP, but I don't really think it matters... No message that anyone sends from the outside to my phone should be visible when the phone is locked.
EDIT 2: Updated title as marttipiirainen pointed out that the messages are Flash SMS. I still consider this a security (and privacy) issue though. Consider a banking system where you login with username and password, but to for example pay your bills you also have to enter a OTP. If the session is stolen (through unsecure network, a trojan or just some really quick hand manoeuvrer when the owner is not looking) you can use this to cause lots of damage. Granted, this is a pretty dumb security system, but unfortunately there are quite a few dumb security systems around...
Then there is a privacy issue, imagine someone starts using flash SMS to have conversations they don't want to save on their phones. As google recently proved you can cause lots of suffering to peoples life if you accidentally leak personal information. Since you can't approve the messages (or even senders) beforehand you should not display them until the phone is unlocked.
EDIT 3: Big thanks to rainisto and marttipiirainen for pointing me in the right direction. Flash SMS, or class 0 messages should be handled like this (source):
When a mobile terminated message is class 0 and the MS has the capability of displaying short messages, the MS shall display the message immediately and send an acknowledgement to the SC when the message has successfully reached the MS irrespective of whether there is memory available in the (U)SIM or ME. The message shall not be automatically stored in the (U)SIM or ME.
The ME may make provision through MMI for the user to selectively prevent the message from being displayed immediately.
If the ME is incapable of displaying short messages or if the immediate display of the message has been disabled through MMI then the ME shall treat the short message as though there was no message class, i.e. it will ignore bits 0 and 1 in the TP-DCS and normal rules for memory capacity exceeded shall apply.
Although it uses the word "immediately" I would argue that that is more of a reflection of the time when the specification is written. The wording has been exactly the same since at least 1995. My guess is that the class 0 messages originally was intended to send messages that did not require the device to have persistent storage. Today we have multitasking devices with tons of memory, the technical limitation which required the message to be taken care of "immediately" is simply not there any more. (Also, anyone knows if you had to open the key lock on older devices to read these messages back in the days?)
The only reason I can think of where a message would be so important that it should always be displayed immediately would be emergency announcements from authorities, but since class 0 messages can come from anyone who has a GSM device I don't think you should design the system around this. Especially since it (today) seems way more common to send OTP (which is very private data) using class 0 messages.
Even if you think my reasoning is wrong or for some other reason want to keep the current design which displays the message above the lock screen, then please at least give us an option to disable it. The specification explicitly allows the user to disable immediate display and (as far as I understand it) receive the messages as normal SMS.
Could you define what OTP is? All my messages are anonymous...
gabriel ( 2014-01-23 19:13:41 +0200 )editNever heard about Flash SMS, what are they, who uses them and for what? Thanks for any info ;)
foss4ever ( 2014-01-24 16:59:01 +0200 )editSome governments use class 0 mass SMS's for tsunami warnings for example. And you surely would like to see them even if device is locked if your near a beach.
rainisto ( 2014-01-24 23:25:09 +0200 )edit@rainisto Yes ok, , so it seems that Jolla is here working as it supposed to be..The issue then are services and operators that send these Class 0 msgs in lesser important purposes and cases..
foss4ever ( 2014-01-24 23:59:06 +0200 )edit@rainisto that is a legit reason to keep the current design, but the odds that you are saved because you saved 10 seconds by not entering your security code is really low. I think the privacy and security implication of having your private messages read by anyone is more important.
Feffe ( 2014-01-25 13:10:07 +0200 )edit