What is an Accessibility Service?
To understand why this is significant, we first need to explain what Accessibility is in relation to Android. In general, accessibility refers to making an Android app more accessible to users with certain disabilities such as those who are visually impaired. While it’s in every developer’s best interests to make their apps more accessible to users with disabilities, there are a special class of applications that are designed to enhance the usability of all Android apps for users with disabilities. These are called Accessibility Services.
An Accessibility Service, commonly referred to as a11y, is an app that the system can feed certain information to depending on what events the Accessibility Service registers to listen for. An app that wishes to implement an Accessibility Service must add the android.permission.BIND_ACCESSIBILITY_SERVICE permission to the AndroidManifest file so only the system can bind to the app’s service.
For example, if an Accessibility Service is built to listen for TYPE_VIEW_CLICKED events, then that service will receive information from the system about any buttons that the user might press. An Accessibility Service can also react to and consume certain gestures and KeyEvents before other apps receive them. Finally, an Accessibility Service can also inject certain KeyEvents such as the back, split-screen, or recent apps button.
Thus, Accessibility Services can be extremely powerful and useful. Several of the most popular, innovative applications on the Google Play Store rely on a11y to perform their duties. Here are just some of the few examples I came up with off the top of my head:
AutoInput – intercept KeyEvents and perform tap/swipe gestures
Button Mapper – intercept KeyEvents and remap them to other KeyEvents
Greenify – automatically hibernate apps by force closing them before the screen turns off
Inputting+ – detect when the keyboard app is open to show the floating action button
LastPass – scan pages for username/password entries (necessary before Android Oreo)
Swiftly Switch – send KeyEvent for the back button
Tasker – detect when apps are open so you can perform any user-defined action
Type Machine – record all text input so you will never lose any text entry
None of these applications use a11y in the way Google intended, which is to help users with disabilities. I would wager that the vast majority of applications that implement an Accessibility Service do so for functions outside of Google’s purview. But that’s the beauty of Android and APIs like Accessibility—Google usually doesn’t restrict what developers can and cannot do. That lax approach with the use of Accessibility Services appears to be changing, however, as the Google Play Store team has been sending emails to developers warning them of upcoming changes to their policy regarding a11y.
What exactly is Google doing?
The company is informing developers that if their application uses an Accessibility Service for any reason other than assisting users with disabilities, then they must remove the use of this permission within 30 days or their application will be removed from the Play Store. Failure to abide by this requirement can result in an infraction against a developer’s Play Store account, which can eventually lead to account termination.
For the few apps that do use a11y to aid users with disabilities, Google states that these developers need to simply add a prominent, user-facing disclosure of the reason behind why their app needs the permission. However, as I mentioned before Accessibility Services are used far more often in apps that would end up violating this new policy.
Why is Google removing Accessibility Services from the Play Store?
While the use of Accessibility Services are known to cause quite a bit of lag, the real reason why Google is starting to crack down on these apps is likely related to the growing issue of exploits that take advantage of a11y. Although the apps that I mentioned above use a11y for beneficial purposes, they can easily be exploited by malicious developers for nefarious purposes. For instance, an Accessibility Service can be used to implement a keylogger, ransomware attack, or phishing exploit.
Google’s efforts in protecting users from malicious Accessibility Services have mostly revolved around disclosure. Currently, enabling an Accessibility Service that registers for certain events such as TYPE_VIEW_TEXT_CHANGED will result in a warning dialog that the app may steal your passwords. You might think that such a message would be effective in preventing users from irresponsibly granting apps a11y. However, there have been plenty of documented cases of apps tricking users into granting a11y. Some attacks go even further, such as the Cloak and Dagger exploit and Toast Message Overlay attacks which socially engineer the user into granting a11y by misrepresenting what it is they are interacting with on the screen.
Attacks such as these are effective on the vast majority of Android devices. Google has made major strides in preventing overlay or toast message attacks (as can be seen in AOSP if you search for a11y), but things have gotten to the point where Google decided they are better off restricting the use of Accessibility Services entirely. It makes sense, but it really sucks because this move will kill the functionality of a lot of innovative apps.
What can developers do?
Unfortunately, there isn’t much developers can do in response to these changes. Developers can either comply with Google’s demands by removing their Accessibility Service or face the threat of their app being removed and their account possibly being terminated. Simply adding a disclosure for why their app uses a11y would only work if their app was legitimately aimed at assisting users with disabilities, which doesn’t describe most apps currently using a11y.
Refactoring apps to no longer use an Accessibility Service is possible for some, but not all, of the apps we’ve mentioned. Password managers such as LastPass can migrate to the Autofill Framework, but only if the user is running Android 8.0 Oreo and above. If an app uses a11y to monitor when other apps are open, that app can instead be written with a polling service using the UsageStats API. Apps like Tasker can survive such a change. Others like Button Mapper and AutoInput are out of luck—without root, there’s no good way to intercept KeyEvents.
While we recognize the danger in allowing a malicious app access to the Accessibility APIs, it’s a shame to see some really useful apps be neutered by Google. We hope that the policy Google laid out is reversed, or they simply claim that it was misinterpreted. As it stands, the wording in the email is pretty clear—comply with our guidelines or get out of the Play Store. It’s a grim reminder that Google has all the power of what apps belong in the Play Store, and they can pull the rug out from under you at any time.
Update 1: Confusing Developer Documentation
Google’s developer documents for building an Accessibility Service appear to contradict this new focus by the Google Play Store team. The page has the following wording at the time of this writing:
An accessibility service is an application that provides user interface enhancements to assist users with disabilities, or who may temporarily be unable to fully interact with a device. For example, users who are driving, taking care of a young child or attending a very loud party might need additional or alternative interface feedback.
Furthermore, if you compare the wording on the page to an archived version of the page from July, you’ll find that the note about building Accessibility Services only to assist users with disabilities does not exist.