[Update: LastPass Unaffected] Google is Threatening to Remove Apps with Accessibility Services from the Play Store

Update: LastPass has just responded to this news and states that there will be “no immediate impact” for their Android apps. Whether or not this means that other applications will be given leniency remains to be seen.

Some of the most innovative applications on the Play Store are built on using APIs in ways that Google never intended. There are apps that can remap your volume keys to skip music tracks, record and play back touch inputs on webpages or games, and even provide alternative navigation keys so you can use your device’s entire screen. All of these examples that I’ve just mention rely on Android’s Accessibility APIs. But that may soon change, as the Google Play Store team is sending out emails to developers telling them that they can no longer implement Accessibility Services unless they follow Google’s guidelines.


What is an Accessibility Service?

To understand why this is significant, we first need to explain what Accessibility is in relation to Android. In general, accessibility refers to making an Android app more accessible to users with certain disabilities such as those who are visually impaired. While it’s in every developer’s best interests to make their apps more accessible to users with disabilities, there are a special class of applications that are designed to enhance the usability of all Android apps for users with disabilities. These are called Accessibility Services.

An Accessibility Service, commonly referred to as a11y, is an app that the system can feed certain information to depending on what events the Accessibility Service registers to listen for. An app that wishes to implement an Accessibility Service must add the android.permission.BIND_ACCESSIBILITY_SERVICE permission to the AndroidManifest file so only the system can bind to the app’s service.

For example, if an Accessibility Service is built to listen for TYPE_VIEW_CLICKED events, then that service will receive information from the system about any buttons that the user might press. An Accessibility Service can also react to and consume certain gestures and KeyEvents before other apps receive them. Finally, an Accessibility Service can also inject certain KeyEvents such as the back, split-screen, or recent apps button.

Thus, Accessibility Services can be extremely powerful and useful. Several of the most popular, innovative applications on the Google Play Store rely on a11y to perform their duties. Here are just some of the few examples I came up with off the top of my head:

  • AutoInput – intercept KeyEvents and perform tap/swipe gestures
  • Button Mapper – intercept KeyEvents and remap them to other KeyEvents
  • Greenify – automatically hibernate apps by force closing them before the screen turns off
  • Inputting+ – detect when the keyboard app is open to show the floating action button
  • LastPass – scan pages for username/password entries (necessary before Android Oreo)
  • Swiftly Switch – send KeyEvent for the back button
  • Tasker – detect when apps are open so you can perform any user-defined action
  • Type Machine – record all text input so you will never lose any text entry
Google Play Store Accessibility Service Crackdown Google Play Store Accessibility Service Crackdown Google Play Store Accessibility Service Crackdown Google Play Store Accessibility Service Crackdown Google Play Store Accessibility Service Crackdown

None of these applications use a11y in the way Google intended, which is to help users with disabilities. I would wager that the vast majority of applications that implement an Accessibility Service do so for functions outside of Google’s purview. But that’s the beauty of Android and APIs like Accessibility—Google usually doesn’t restrict what developers can and cannot do. That lax approach with the use of Accessibility Services appears to be changing, however, as the Google Play Store team has been sending emails to developers warning them of upcoming changes to their policy regarding a11y.


What exactly is Google doing?

The company is informing developers that if their application uses an Accessibility Service for any reason other than assisting users with disabilities, then they must remove the use of this permission within 30 days or their application will be removed from the Play Store. Failure to abide by this requirement can result in an infraction against a developer’s Play Store account, which can eventually lead to account termination.

For the few apps that do use a11y to aid users with disabilities, Google states that these developers need to simply add a prominent, user-facing disclosure of the reason behind why their app needs the permission. However, as I mentioned before Accessibility Services are used far more often in apps that would end up violating this new policy.

Full email sent to developers

Hi Developers at ****,

We’re contacting you because your app, ****, with package name **** is requesting the ‘android.permission.BIND_ACCESSIBILITY_SERVICE.’ Apps requesting accessibility services should only be used to help users with disabilities use Android devices and apps. Your app must comply with our Permissions policy and the Prominent Disclosure requirements of our User Data policy.

Action required: If you aren’t already doing so, you must explain to users how your app is using the ‘android.permission.BIND_ACCESSIBILITY_SERVICE‘ to help users with disabilities use Android devices and apps. Apps that fail to meet this requirement within 30 days may be removed from Google Play. Alternatively, you can remove any requests for accessibility services within your app. You can also choose to unpublish your app.

If you need to make changes to your apps, please follow these steps:

  • Read through the Permissions and User Data policies for more details, and make sure your app complies with all policies listed in the Developer Program Policies.
  • If you don’t need the BIND_ACCESSIBILITY_SERVICE permission in your app or the permission is being used for something other than helping users with disabilities use Android devices and apps:
    1. Remove your request for this permission from your app’s manifest.
    2. Sign in to your Play Console and upload your modified, policy-compliant APK.
  • Or, if you need the BIND_ACCESSIBILITY_SERVICE permission in your app to help users with disabilities use Android devices and apps:
    1. Include the following snippet in your app’s store listing description: “This app uses Accessibility services.”
    2. Provide prominent user-facing disclosure of this usage before asking the user to enable this permission within your app. Your disclosure must meet each of the following requirements:
      • Disclosure must be provided via the android:summary and android:description elements of the AccessibilityServiceInfo class
      • Disclosure must describe the functionality that the Accessibility Service permission is enabling for your app. Each feature used with the Accessibility Service request must be declared in your disclosure with justification.

Alternatively, you can choose to unpublish the app.

All violations are tracked. Serious or repeated violations of any nature will result in the termination of your developer account, and investigation and possible termination of related Google accounts.

If you’ve reviewed the policy and feel we may have been in error, please reach out to our policy support team. One of my colleagues will get back to you within 2 business days.

Regards,

The Google Play Review Team


Why is Google removing Accessibility Services from the Play Store?

While the use of Accessibility Services are known to cause quite a bit of lag, the real reason why Google is starting to crack down on these apps is likely related to the growing issue of exploits that take advantage of a11y. Although the apps that I mentioned above use a11y for beneficial purposes, they can easily be exploited by malicious developers for nefarious purposes. For instance, an Accessibility Service can be used to implement a keylogger, ransomware attack, or phishing exploit.

Google’s efforts in protecting users from malicious Accessibility Services have mostly revolved around disclosure. Currently, enabling an Accessibility Service that registers for certain events such as TYPE_VIEW_TEXT_CHANGED will result in a warning dialog that the app may steal your passwords. You might think that such a message would be effective in preventing users from irresponsibly granting apps a11y. However, there have been plenty of documented cases of apps tricking users into granting a11y. Some attacks go even further, such as the Cloak and Dagger exploit and Toast Message Overlay attacks which socially engineer the user into granting a11y by misrepresenting what it is they are interacting with on the screen.

Attacks such as these are effective on the vast majority of Android devices. Google has made major strides in preventing overlay or toast message attacks (as can be seen in AOSP if you search for a11y), but things have gotten to the point where Google decided they are better off restricting the use of Accessibility Services entirely. It makes sense, but it really sucks because this move will kill the functionality of a lot of innovative apps.


What can developers do?

Unfortunately, there isn’t much developers can do in response to these changes. Developers can either comply with Google’s demands by removing their Accessibility Service or face the threat of their app being removed and their account possibly being terminated. Simply adding a disclosure for why their app uses a11y would only work if their app was legitimately aimed at assisting users with disabilities, which doesn’t describe most apps currently using a11y.

Refactoring apps to no longer use an Accessibility Service is possible for some, but not all, of the apps we’ve mentioned. Password managers such as LastPass can migrate to the Autofill Framework, but only if the user is running Android 8.0 Oreo and above. If an app uses a11y to monitor when other apps are open, that app can instead be written with a polling service using the UsageStats API. Apps like Tasker can survive such a change. Others like Button Mapper and AutoInput are out of luck—without root, there’s no good way to intercept KeyEvents.

While we recognize the danger in allowing a malicious app access to the Accessibility APIs, it’s a shame to see some really useful apps be neutered by Google. We hope that the policy Google laid out is reversed, or they simply claim that it was misinterpreted. As it stands, the wording in the email is pretty clear—comply with our guidelines or get out of the Play Store. It’s a grim reminder that Google has all the power of what apps belong in the Play Store, and they can pull the rug out from under you at any time.


Update 1: Confusing Developer Documentation

Google’s developer documents for building an Accessibility Service appear to contradict this new focus by the Google Play Store team. The page has the following wording at the time of this writing:

An accessibility service is an application that provides user interface enhancements to assist users with disabilities, or who may temporarily be unable to fully interact with a device. For example, users who are driving, taking care of a young child or attending a very loud party might need additional or alternative interface feedback.

Furthermore, if you compare the wording on the page to an archived version of the page from July, you’ll find that the note about building Accessibility Services only to assist users with disabilities does not exist.

Thanks João Dias for reaching out with this information.