Android 17: Google cracks down on Accessibility API abuse

In Android 17 Beta 2, Google is blocking apps from accessing an interface that is actually intended for accessibility: If the Advanced Protection Program ("Erweitertes Sicherheitsprogramm") is enabled to better protect users and their data from attacks, launchers, automation tools, or customization apps may become useless. Google has been taking action against the misuse of the interface for years – albeit rather half-heartedly until now.

A little more security

As first reported by the specialist blog Android Authority, Google is taking the advanced protection program, which was integrated into the OS with Android 16, a step further. With the update to Android 17 Beta 2, certain apps that use the AccessibilityServices API to enable specific functions can still be installed. However, when trying to activate the AccessibilityService API, users encounter a block. A window appears with the message "Restricted by Advanced Protection Program." From here, users can disable the advanced protection program if they consider the app more important than their security.

Users should be aware that this API is also often used by Android malware – such as the Anatsa banking trojan or the Copybara malware – to spy on login credentials or other sensitive information from Android apps and exfiltrate it to criminal masterminds. With Android 16, Google integrated optional protection via a flag (e.g., accessibilityDataSensitive), which developers can use.

However, according to Google's support documentation, the AccessibilityService API is actually intended to support people with disabilities. Apps like screen readers, switch-based input systems, and other assistive technologies use this API to read screen content aloud or perform actions for the user. There are other legitimate uses for the Accessibility API, such as password managers like Bitwarden using it to find input fields in forms. Google has clear guidelines for its use to prevent misuse.

First warnings back in 2017

However, the interface can still be misused by developers to implement functions that are not intended by Google in this form. Numerous apps have used this "trick" over the years. These include automation tools like Tasker, customization apps, surveillance apps, and some launchers like the SmartLauncher.

The curious thing is: Google already threatened app developers in 2017 with removal from the Play Store if they misused the API. To this day, Google does not seem to have enforced this. Under Android version 16 QPR3, which Google released for Pixel devices in early March, apps like DynamicSpot, which simulates a kind of "Dynamic Island" like on Apple iPhones, can access the API to create an overlay.

(afl)