SECURITY: Steam Guard login notification - the code should not be visible in the lock screen [Android]

All Discussions > Steam Forums > Suggestions / Ideas > Topic Details

dix0n Dec 23, 2015 @ 8:19am

Currently when I log in to Steam the Steam Guard code is shown in the notification preview in my lock screen. This is not the case for other notifications. For example, SMS and e-mail messages may contain sensitive data. Notifications for these applications will say 'Contents hidden'. This is not default behavior, though. Android has a setting in the 'Notifications' section of 'System Settings' called 'When device is locked' and I have it set too 'Hide sensitive notification content'. I would think the Steam Guard code is sensitive content.

Now, if someone has somehow obtained my username/password (e.g. with a key-logger) they only have to shortly look at my phone to see the code. They do not need to unlock my phone. Even though the attacker would need physical access to my phone I think this is still a serious security risk. You could think of situations where short physical access to someone's phone is not difficult (e.g. internet cafe or some other public place).

IMO the code should not be visible in the lock screen regardless of how the setting 'When device is locked' is set. But at least it should adhere to the setting (or provide it's own setting for this).

PS: I have no idea how this works with iPhone or other smartphones but I am kinda expecting the same behavior. Maybe someone can comment on that.

< >

Showing 1-15 of 15 comments

Neon1024 Jan 4, 2016 @ 1:18am

Yep, I just came to the forums to post this. This is quite the oversight in my opinion, as OP says pretty much all notification content is hidden it seems the standard.

wuddih Jan 4, 2016 @ 1:41am

emails with steam guard codes?

i have mobile auth since april and never got any notifications from steam.

Tito Shivan Jan 4, 2016 @ 4:10am

You can set up both notifications as private in Android so they won't show up on your lock screen.
Also, being logged out of the Steam mobile client doesn't push the notification on request (and is not needed to generate security codes)

Neon1024 Jan 4, 2016 @ 8:18am

As it's a secure way of logging into an account it should be private by default.

For anyone looking for how to do this yourself,
1) https://support.google.com/nexus/answer/6111294?hl=en-GB
2) Follow "Option 1: Show all notification details, except for apps marked sensitive"

Then your Steam notifications screen should look like this, http://i.imgur.com/R5BvsIO.png

Last edited by Neon1024; Jan 4, 2016 @ 8:24am

Spawn of Totoro Jan 4, 2016 @ 11:38am

If it didn't need the log-in and password as well, then I could agree with it being on by default. Since all 3 are needed, I see no reason for it to be on by default.

CornerCarton042 Jan 12, 2016 @ 6:28am

I would very much like to have this feature, but I dont see the option to in my settings - what version of android are you using?

dix0n Jan 12, 2016 @ 9:55am

I have recently upgraded to CyanogenMod 13 (Android 6.0.01). I can now disable notifications per application (Settings > Notifications > App notifications > Steam > Block all). However, this is not what I want nor how it should be. This disables all notifications for Steam. I do not even want to disable the Steam Guard Login Code notification. I simply want it's contents to be hidden untill I unlock my screen. Best of all worlds.

Other apps (email, gmail, sms, whatsapp etc) have this behavior. I am no Android developer but I think developers can specify whether content should be treated as sensitive:

http://developer.android.com/design/patterns/notifications.html

Go to section 'On the lock screen', it says:

Originally posted by AndroidDevelopers:
Because notifications are visible on the lock screen, user privacy is an especially important consideration. Notifications often contain sensitive information, and should not necessarily be visible to anyone who picks up the device and turns on the display.

Specically the next section:

User control over information displayed on the secure lock screen

The method:
Notification.Builder.setVisibility()

Value (parameter I assume)
VISIBILITY_PRIVATE

Originally posted by AndroidDevelopers:
On the lock screen, shows basic information about the existence of this notification, including its icon and the name of the app that posted it. The rest of the notification's details are not displayed. A couple of good points to keep in mind are as follows etc etc

dix0n Jan 12, 2016 @ 9:57am

You can even 'provide a different public version of your notification for the system to display on a secure lock screen'. It could say 'Hey, unlock your phone to see the steam guard login code'.

Satoru Jan 12, 2016 @ 10:01am

They don't consider the code 'private' since the attacker already has to have your username/password to initiate the attack

dix0n Jan 12, 2016 @ 10:04am

@Neon: your solution seems to be another way of achieving the same thing. However:

Question: do I now have to specifiy per application whether it has sensitive content in it's notifications myself or will Android follow the visibility option specified in code? Or a combination of both?

Remark: this means that all Steam App users will have to configure this themselves to make it secure. This doesn't seem right.

#10

dix0n Jan 12, 2016 @ 10:08am

@Satoru: that doesn't make sense to me and neither to others I hope. The Steam Guard Login Code (SGLC) is an extra layer of protection.

In my original post I explain that there could be situations where you can figure out someone's username/password and have physical access to someone's phone. Having the SGLC display on the lock screen defeats the purpose of the SGLC. In this case I'dd rather have e-mail notifications since Android already regards their notifications to have sensitive content.

Last edited by dix0n; Jan 12, 2016 @ 10:10am

#11

Coffee Jan 12, 2016 @ 11:15am

Originally posted by Satoru:
They don't consider the code 'private' since the attacker already has to have your username/password to initiate the attack

Which kill the total point of the forced authenticator xD

#12

Jack Bauer Mar 10, 2017 @ 9:21pm

Turn off and turn on again in notification setting. It will be solve

Last edited by Jack Bauer; Mar 12, 2017 @ 5:31am

#13

Q Nov 28, 2017 @ 3:35pm

I contacted Steam Support, this is what they said on the issue:

| "If you are experiencing problems with the Steam Mobile App, check the following:
| Make sure your device has the most recent OS update.
| Check the requirements of the Steam Mobile App for your OS and make sure your device
| meets those requirements.
|
| Please note: Disabling, fully reinstalling, or clearing data for the app will reset your
| Authenticator.
|
| We recommend using a Wi-Fi connection when installing the app."
|
| Steam Support,
| Nicolas

Hope this helps.

#14

Talvy Dec 11, 2018 @ 4:39pm

This is functioning as designed. There is an option on Android to hide sensitive content on the lock screen, but we do not feel that the two-factor code is sensitive content in this regard, and that the usability benefit of being able to always see the two-factor code on the lock screen outweighs any potential security concern. The code is only shown on your Android device for about a minute and only after somebody has used the correct username and password to login. Thus, any attacker must have physical access to your phone as well as knowledge of your Steam account's username and password to gain access to your account. So showing the code on the lock screen still meets the level of security we are attempting to achieve.

— Valve employee “Drunken_F00l” on Reddit

#15

< >

Showing 1-15 of 15 comments

Per page: 1530 50

All Discussions > Steam Forums > Suggestions / Ideas > Topic Details

Date Posted: Dec 23, 2015 @ 8:19am

Posts: 15

Start a New Discussion

Discussions Rules and Guidelines

Report this post