Google’s Android phones include a set of Accessibility Services that are designed to make phones or tablets usable by people with physical disabilities. For example, users with visual impairments can use a screen reader to navigate their phone with verbal feedback.
But developers have found creative uses for Google’s accessibility APIs, since they allow an app to do things on a phone that would normally require root access.
For example, the LastPass password manager can scan any page you’re on for username and password boxes in order to open a pop up window that can fill in that information only when you need it. Button Mapper can intercept events to change what happens when you press a button on your phone.
And soon those apps, along with a bunch of others, will either have to find a new way to do those things or they’ll be removed from the Google Play Store.
Google is telling developers that they have 30 days to explain how their apps are using Accessibility services to help disabled users, change their apps, or have them be booted from the Play Store.
Up until now, Google hasn’t had a policy prohibiting developers from using Accessibility services for activities that are unrelated to Accessibility features. So there could be hundreds of existing apps affected by the move.
But it does seem like there may be a good reason for the sudden crack down: Accessibility services provide apps with the ability to read data from and interact with other apps in pretty powerful ways that poses a security risk.
For example, Trend Micro recently discovered a type of malware that uses Accessibility services in order to install apps, click ads, and protect themselves from being uninstalled. It’s called TOASTAMIGO, and it uses a “toast overlay” attack that was described as a proof of concept earlier this year.
It’s likely that some of the affected apps may find other workarounds. Others, like LastPass, will be able to make use of new APIs in Android Oreo and later to do things like autofill passwords. And I wouldn’t be surprised if others, like Tasker, offer versions with limited feature sets through the Google Play Store and more powerful versions for root users to sideload through alternative marketplaces.
Update: LastPass says it’s working with Google to “deliver an intuitive password experience for Android users” and that there’s “no immediate impact to our Android users.” What this means for smaller developers that may not have a direct line to Google remains unclear.