A malicious application can read notifications sent by the operating system or other applications, which may contain sensitive data such as one-time authentication codes sent over SMS, email, or other mediums. A malicious application can also dismiss notifications to prevent the user from noticing that the notifications arrived and can trigger action buttons contained within notifications.
|M1013||Application Developer Guidance||
Application developers could be encouraged to avoid placing sensitive data in notification text.
On Android devices with a managed work profile (enterprise managed portion of the device), the
The user can inspect (and modify) the list of applications that have notification access through the device settings (e.g. Apps & notification -> Special app access -> Notification access).