A few weeks ago Android Weekly promoted a post highlighting a security issue with the Android accessibility framework. While I agree with part of it, I find the solution offered is not adequate and is actively harmful to users. In this response, I’ll explain why I disagree with the prescribed action.
The post from AW raises a fair point — isn’t this dangerous? Accessibility services on Android have access to everything you type and all the forms on your screen.
Android warns the user of this when they enable the service:
It highlights that personal data can be observed, including credit card numbers and passwords.
Third-party keyboards can also access this information, and Android warns users here too at the point of enabling:
These keyboards are more common than accessibility services — SwiftKey has 50–100M downloads, compared to Voodoo’s 0.1–0.5M.
The post encourages app developers to mark sensitive fields with `View.IMPORTANT_FOR_ACCESSIBILITY_NO`, in order to protect the user from giving accessibility services access to things like login forms.
It’s incorrect that this will make the field invisible to accessibility services. Apps like Voodoo will be told they shouldn’t read that field, but it does nothing to stop them reading it. What does this mean? Valid services like TalkBack, Spiel or Switch Access will respect this property, making the field invisible to the user. Malicious services will ignore it.
TalkBack, for example, is an Android accessibility service designed to help visually impaired users interact with their devices. It acts as a screenreader (reads screen content aloud) and an input mechanism (uses gestures to perform common actions with less touch precision, like clicking and navigating through lists).
If the password field is marked as “not important”, then TalkBack cannot convey its existence to the user and, consequently, the user cannot login.
This action is actively harmful and doesn’t seem to help in the majority of cases, unless I missed something and the post also advocates for creating your own on-screen keyboard.
Personally, I wouldn’t worry. If you are worried, I would remind the user on screens where they are about to enter sensitive information.
You can do this with a dialog that is shown when the app detects that an accessibility service is running, and that blocks input until there is acknowledgement:
AccessibilityManager accessibilityManager = (AccessibilityManager) context.getSystemService(Context.ACCESSIBILITY_SERVICE);
boolean showDialog = accessibilityManager.isEnabled();