Some thoughts on Google's move to restrict accessibility service

Tags: #android, #a11y.

In the last couple of days, many reports (see XDA developers, The Hacker News) appeared about Google emailing apps developers about new restriction affecting the Android accessibility service (a11y, in short). The gist: in 30 days, apps should use a11y only to implement features to assist users with disabilities; Apps misusing a11y (even for benign purposes) will get kicked out from the store.

I am one of the many researchers that showed how a11y poses severe issues for Android security. I did it by showing how you could mount a number of devastating attacks, and other researchers recently found real-world malware abusing them (see Zimperium's post on Clicking Bot Apps, or TrendMicro's post on a11y abuse).

It has been a community effort, and Google is finally taking actions. But I don't understand how this Google's move is going to help the ecosystem. Here there are my thoughts.

The good guys and the ecosystem are negatively affected

Bad guys probably don't care much

Can't LastPass use the new AutoFill API?

Yes. But, unfortunately, the AutoFill API is only available in Android's latest version, Android O, which, according to Google's dashboard, only 0.3% of devices currently run. Yesterday LastPass published a short blog post, where they state that "they are working with Google." The post says that there is "no immediate impact to our Android users". Well, we knew already that the kickout party will be in ~30 days, so this doesn't say much. I hope they will find a deal.

Can't Google add a backward-compatibility layer for older versions?

Without modifying the framework, I have no idea how they could do it. Tricks you can do with a11y clearly bypass many security barriers. If there is a way to do this without framework modifications, then we'll see more papers on how to abuse this ;-) If there is no way to do it, then we need framework modifications. Which millions of devices will never see anyways. Auch.

What's Google's plan?

Honestly, I have no idea. I somehow hope that Google will actually be quite lenient with well known apps. But how can they select which apps are OK? Do they need to have 1M+ installs? How do you set the threshold? I don't know. Don't get me wrong, there are tons of super smart folks working at Google. I'm sure they have a plan. Here I'm just saying, I have no idea what's going on :-)


It turns out that the Android folks changed their minds. According to this report on ArsTechnica, Google paused its decision to ban a11y-related apps for another 30 days while it considers responsible uses of accessibility services.


comments powered by Disqus