A few weeks ago Android Weekly promoted a post highlighting a security issue with the Android accessibility framework. While I agree with part of it, I find the solution offered is not adequate and is actively harmful to users. In this response, I’ll explain why I disagree with the prescribed action.
There is an app (popular in India) that behaves as an Android Accessibility Service. It does this to gain the ability to read the content of the on-screen app to augment its own service.
The post from AW raises a fair point — isn’t this dangerous? Accessibility services on Android have access to everything you type and all the forms on your screen.
Android warns the user of this when they enable the service:
It highlights that personal data can be observed, including credit card numbers and passwords. Third-party keyboards can also access this information, and Android warns users here too at the point of enabling:
These keyboards are more common than accessibility services — SwiftKey has 50–100M downloads, compared to Voodoo’s 0.1–0.5M.
The post encourages app developers to mark sensitive fields with `View.IMPORTANT_FOR_ACCESSIBILITY_NO`, in order to protect the user from giving accessibility services access to things like login forms.
It’s correct that this will make the field invisible to accessibility services. Apps like Voodoo will no longer be able to read your password field (it probably wasn’t anyway).
You also make it invisible to legit accessibility services like TalkBack, Spiel or Switch Access. This means that the sensitive field is invisible to the user of these services too.
TalkBack, for example, is an Android accessibility service designed to help visually impaired users interact with their devices. It acts as a screenreader (reads screen content aloud) and an input mechanism (uses gestures to perform common actions with less touch precision, like clicking and navigating through lists).
If the password field is marked as “not important”, then TalkBack cannot convey its existence to the user and, consequently, the user cannot login.
This action is actively harmful and doesn’t seem to help in the majority of cases, unless I missed something and the post also advocates for creating your own on-screen keyboard.
Personally, I wouldn’t worry. If you are worried, I would remind the user on screens where they are about to enter sensitive information.
You can do this with a dialog that is shown when the app detects that an accessibility service is running, and that blocks input until there is acknowledgement:
AccessibilityManager accessibilityManager = (AccessibilityManager) context.getSystemService(Context.ACCESSIBILITY_SERVICE); boolean showDialog = accessibilityManager.isEnabled();