Android: Developer option against espionage with accessibility options
Google has added a flag to Android 16 that allows app developers to block malware that spies through accessibility features.
Google Android-Bugdroid in front of a lock icon.
(Image: Primakov/Shutterstock.com)
Google has introduced features to improve the security of Android apps. With very simple additions, developers can better protect their apps from spying on sensitive data.
A post in the Android Developers Blog explains, for example, the new flag accessibilityDataSensitive in Android 16. Android malware often uses accessibility features, such as the Anatsa banking trojan or the Copybara malware[Link auf Beitrag 4658025] and many others, to spy on login credentials or other sensitive information from Android apps and exfiltrate them to the criminal masterminds. Google therefore also explains: "Malicious actors attempt to abuse Accessibility APIs to read sensitive information like passwords and financial details directly from the screen and to manipulate users' devices by injecting fake touches."
With the accessibilityDataSensitive flag, developers can now mark views or so-called composables, explaining that they contain sensitive information. "If you set the flag to true in your app, you essentially block potentially malicious apps from accessing your sensitive data or performing interactions with it." The flag ensures that any app requesting accessibility permissions but not declaring itself as a legitimate accessibility tool (Flag isAccessibilityTool=true) does not gain access to the view.
Google is already using the flag
Google developers have already integrated the new flag into the existing setFilterTouchesWhenObscured method. In apps where developers have already set setFilterTouchesWhenObscured(true) to protect the app from "tapjacking," views are automatically treated as sensitive data for accessibility. This is also intended to provide more security immediately without developers having to put in extra effort.
Videos by heise
Google recommends that developers use either setFilterTouchesWhenObscured or accessibilityDataSensitive for all displays containing sensitive information – including login pages, payment flows, or views with personal or financial information. Further helpful information can be found in Google's developer article on Tapjacking.
With Android 15 as well, Google implemented new features aimed at increasing data security.
(dmk)
