Google will prohibit the use of improper functions for persons with disabilities in Android applications

Functions for people with disabilities (Accessibility API) are extremely convenient and are used by the most innovative applications in the Google Play catalog. For example, the volume keys on a smartphone can be reassigned to go to the next music track, record and play clicks on web pages / games or even navigate, that is, page turning, as in the gReader mobile app. All of this features for people with disabilities who resourceful developers use for other purposes. Now Google has expressed dissatisfaction with this fact. The site XDA Developers reported that from Google Play, developers have begun to receive warnings that you can not use the Accessibility API other than as provided in the Google documentation.



Accessibility APIs provide for work through a special service in the Accessibility Service system (a11y). To be able to send it certain events for processing, the application must add the android.permission.BIND_ACCESSIBILITY_SERVICE



permission to the manifest. This service can handle certain events in the system (gestures, keystrokes) earlier than other applications. In addition, this service can itself implement certain KeyEvents events, such as pressing the “Return Back” button, split screen buttons, and so on.



From the description of the Accessibility Service functionality, it is clear that the service is extremely useful in developing the mobile application interface. Here is just a small list of applications that use functionality for people with disabilities in their interface:





For example, the screenshot below shows how the LastPass application is requesting permission to use the disabled feature in order to activate the password auto-complete feature in other Android applications.









None of the above applications use the a11y service in accordance with the Google documentation, original cheats are implemented everywhere. Most likely, the vast majority of applications on Google Play, which use features for people with disabilities, are actually designed for quite healthy people. Until now, no one had any problems with this, because Google did not impose restrictions on how to use the API. Now the situation has changed.



In the letters from Google it says that developers are obliged to bring their programs into line with the documentation on the Accessibility Service, that is, to exclude from the application any functionality that is not aimed directly at helping people with disabilities. Developers are required to do this within 30 days, otherwise their applications will be deleted from the Play Store. Refusal to comply with the requirement also means violation of the rules for using the service, which can lead to the blocking of the developer account.



As an option, Google recommends that you manually remove your application from the directory so as not to risk blocking your account.



For those few applications that really help people with disabilities, it is recommended to add a clear explanation for the user why permission is required to use this service. In the program description on Google Play, add the phrase “This app uses Accessibility services”.



The guys from XDA-Developers are trying to guess why Google went to such repressive measures. On the one hand, the use of the Accessibility Service causes a small lag in the interface, but this is hardly the reason. Most likely, Google worries that this system service will begin to use malicious programs in large quantities. From its functionality, it is clear that it is great for hidden recording of keystrokes (for keyloggers), phishing exploits and other malware. If for users the activation of the Accessibility Service on the device becomes a routine, it will threaten their security.



Several cases have already been registered when a malicious application managed to trick a user into activating the Accessibility Service (see the Cloak & Dagger exploit information).



All Articles