A lot of your favorite apps might use Accessibility Services for certain features, but this is why Google’s new limitations on them are important.
There are a lot of moving parts to all of our favorite applications. You might not think about this when scrolling through your timeline on Twitter or watching videos on YouTube, but the amount of stuff going on behind the scenes to make all of these apps work the way they’re supposed to is actually pretty incredible.
Certain apps like LastPass, Tasker, and Clipboard Actions tap into Android’s Accessibility Services to allow for deeper features that otherwise couldn’t exist, but Google recently announced that applications using them without directly benefiting those with disabilities could be removed from the Play Store.
Accessibility Services are an interesting tool, and to get a better idea of what exactly is taking place here, we need to take a closer look.
What are Accessibility Services?
Accessibility Services are found within Android and allow phones and tablets to be easier to use by those with disabilities. When you go to the Accessibility settings page on your Android device, you’ll see an array of controls that Google has enabled by default. Some of the items here include the likes of tapping items on your screen to have your device read them out to you, spoken feedback that reads aloud all of your actions, increasing the size of items on the display, etc.
As expected, the general theme here is to make Android easier and simpler to use for people that need some extra assistance.
In addition to the services that are built into Android by default, developers can tap into Accessibility Services with their own apps to create new features that take advantage of them. On the Android Developers site, Accessibility Services are described as follows:
Accessibility services should only be used to assist users with disabilities in using Android devices and apps. They run in the background and receive callbacks by the system when AccessibilityEvents are fired. Such events denote some state transition in the user interface, for example, the focus has changed, a button has been clicked, etc. Such a service can optionally request the capability for querying the content of the active window. Development of an accessibility service requires extending this class and implementing its abstract methods.
Why some apps use them
Although the main goal of Accessibility Services is to allow developers to create tools targeted at individuals with disabilities, we’ve seen a number of apps over the years that have tapped into this resource to create expanded features that can technically benefit everyone.
Android’s pre-installed Accessibility Services are all targeted at people with disabilities, and for a reason.
Accessibility Services can be used legitimately, but that, unfortunately, doesn’t always happen.
For example, LastPass’s App Fill reveals an overlay on top of whatever screen or other app you’re on so you can easily add username and password information without having to open up the full LastPass application. Clipboard Actions also taps into Accessibility Services so you can more easily manage links you’ve copied and take action on them without having to be in the full Clipboard Actions app.
This is a method that developers have been using for quite some time now, and while it technically works, it does create for vulnerabilities that Google doesn’t like to see.
Google’s reasoning for the new limitations
As great as Accessibility Services can be when used legitimately, it’s also possible for the service to be used maliciously. Apps that use Accessibility Services open up greater security threats than ones that don’t, and this leaves devices at risk for attacks.
Shortly after Google announced the decision to limit applications that can use Accessibility Services, it was discovered that the change was likely connected to a "toast overlay" attack that had been discovered by security firm TrendMicro. Essentially, the toast overlay attack allows malicious apps to display images and buttons over what should really be shown in order to steal personal information or completely lock users out of their device.
Apps using this toast overlay attack have since been removed from the Play Store and a patch with the September Security Bulletin resolves the vulnerability, but this is just one example of how an app tapping into Accessibility Services can cause serious damage.
The future is APIs
Apps that are using Accessibility Services to help the disabled in legitimate ways will continue to exist, but for those that aren’t targeted at this specific demographic, Google has a solution – APIs. In the example of LastPass, the new Autofill API with Android Oreo allows LastPass to offer similar functionality to its Auto Fill feature without having to use Accessibility Services.
APIs allow for similar (and often better) experiences than what hacky dev tricks can produce.
This does mean that users need to be running newer versions of Android to access all of the features of some of their favorite titles, but at the end of the day, your functionality is remaining while also cutting down on possible security risks.
We understand the annoyance that some users have towards this change, but when looking at it from Google’s perspective, it’s a move that just makes sense. Accessibility Services were never intended to be used for a large portion of the ways that certain devs are tapping into them, and it’s something that Google needs to crack down on.
At the end of the day, once apps get updated to support Google’s numerous APIs, we’ll get similar features with greater protection from attacks. What more could you ask for?
November 15, 2017 at 03:04AM