Accessibility Services: What they are and why Google is cracking down on their misuse
There are a lot of moving parts to all of our favorite applications. You might not think about this when scrolling through your timeline on Twitter or watching videos on YouTube, but the amount of stuff going on behind the scenes to make all of these apps work the way they're supposed to is actually pretty incredible.
Certain apps like LastPass, Tasker, and Clipboard Actions (opens in new tab) tap into Android's Accessibility Services to allow for deeper features that otherwise couldn't exist, but Google recently announced that applications using them without directly benefiting those with disabilities could be removed from the Play Store.
Accessibility Services are an interesting tool, and to get a better idea of what exactly is taking place here, we need to take a closer look.
What are Accessibility Services?
Accessibility Services are found within Android and allow phones and tablets to be easier to use by those with disabilities. When you go to the Accessibility settings page on your Android device, you'll see an array of controls that Google has enabled by default. Some of the items here include the likes of tapping items on your screen to have your device read them out to you, spoken feedback that reads aloud all of your actions, increasing the size of items on the display, etc.
As expected, the general theme here is to make Android easier and simpler to use for people that need some extra assistance.
In addition to the services that are built into Android by default, developers can tap into Accessibility Services with their own apps to create new features that take advantage of them. On the Android Developers site, Accessibility Services are described as follows:
Why some apps use them
Although the main goal of Accessibility Services is to allow developers to create tools targeted at individuals with disabilities, we've seen a number of apps over the years that have tapped into this resource to create expanded features that can technically benefit everyone.
For example, LastPass's App Fill reveals an overlay on top of whatever screen or other app you're on so you can easily add username and password information without having to open up the full LastPass application. Clipboard Actions also taps into Accessibility Services so you can more easily manage links you've copied and take action on them without having to be in the full Clipboard Actions app.
This is a method that developers have been using for quite some time now, and while it technically works, it does create for vulnerabilities that Google doesn't like to see.
Google's reasoning for the new limitations
As great as Accessibility Services can be when used legitimately, it's also possible for the service to be used maliciously. Apps that use Accessibility Services open up greater security threats than ones that don't, and this leaves devices at risk for attacks.
Shortly after Google announced the decision to limit applications that can use Accessibility Services, it was discovered that the change was likely connected to a "toast overlay" attack (opens in new tab) that had been discovered by security firm TrendMicro (opens in new tab). Essentially, the toast overlay attack allows malicious apps to display images and buttons over what should really be shown in order to steal personal information or completely lock users out of their device.
Apps using this toast overlay attack have since been removed from the Play Store and a patch with the September Security Bulletin resolves the vulnerability, but this is just one example of how an app tapping into Accessibility Services can cause serious damage.
The future is APIs
Apps that are using Accessibility Services to help the disabled in legitimate ways will continue to exist, but for those that aren't targeted at this specific demographic, Google has a solution – APIs. In the example of LastPass, the new Autofill API with Android Oreo allows LastPass to offer similar functionality to its Auto Fill feature without having to use Accessibility Services.
This does mean that users need to be running newer versions of Android to access all of the features of some of their favorite titles, but at the end of the day, your functionality is remaining while also cutting down on possible security risks.
We understand the annoyance that some users have towards this change, but when looking at it from Google's perspective, it's a move that just makes sense. Accessibility Services were never intended to be used for a large portion of the ways that certain devs are tapping into them, and it's something that Google needs to crack down on.
At the end of the day, once apps get updated to support Google's numerous APIs, we'll get similar features with greater protection from attacks. What more could you ask for?
Get the Android Central Newsletter
Instant access to breaking news, the hottest reviews, great deals and helpful tips.
Joe Maring was a Senior Editor for Android Central between 2017 and 2021. You can reach him on Twitter at @JoeMaring1.
It's like calling a plumber to fix your faulty tap. You don't know how he is going to fix the tap but all you know is that he IS going to fix the tap.
Sony didn't update the Z3 to 7.0 because Google - no one else - decided to exclude phones with the snapdragon 801 from certification by changing the CTS and demanding support for Vulkan or OpenGL ES 3.1. The 801 had OpenGL ES 3.0. That's why Sony dropped the phone and didn't update it before the 2 year of updates expired. So yeah, we CAN blame Google. Also, OEMs don't have legal basis to sue Google if they demanded the phones to be updated. Google only had to make that a requirement for Play Store certification instead of demanding a bunch of bloatware to be pre-installed. So, again, Google's fault.
Please consider starring them and optionally write your insights there