What exactly is Google doing?
The Google company is informing developers that if their application uses an Accessibility Service for any reason other than assisting users with disabilities, then they must remove the use of this permission within 30 days or their application will be removed from the Play Store. Failure to abide by this requirement can result in an infraction against a developer’s Play Store account, which can eventually lead to account termination.
For the few apps that do use a11y to aid users with disabilities, Google states that these developers need to simply add a prominent, user-facing disclosure of the reason behind why their app needs the permission. However, as I mentioned before Accessibility Services are used far more often in apps that would end up violating this new policy
Email as below:
Why is Google removing Accessibility Services from the Play Store?
While the use of Accessibility Services are known to cause quite a bit of lag, the real reason why Google is starting to crack down on these apps is likely related to the growing issue of exploits that take advantage of a11y. Although the apps that I mentioned above use a11y for beneficial purposes, they can easily be exploited by malicious developers for nefarious purposes. For instance, an Accessibility Service can be used to implement a keylogger, ransomware attack, or phishing exploit.
Google’s efforts in protecting users from malicious Accessibility Services have mostly revolved around disclosure. Currently, enabling an Accessibility Service that registers for certain events such as
TYPE_VIEW_TEXT_CHANGED will result in a warning dialog that the app may steal your passwords. You might think that such a message would be effective in preventing users from irresponsibly granting apps a11y. However, there have been plenty of documented cases of apps tricking users into granting a11y. Some attacks go even further, such as the Cloak and Dagger exploit and Toast Message Overlay attacks which socially engineer the user into granting a11y by misrepresenting what it is they are interacting with on the screen.
Attacks such as these are effective on the vast majority of Android devices. Google has made major strides in preventing overlay or toast message attacks (as can be seen in AOSP if you search for a11y), but things have gotten to the point where Google decided they are better off restricting the use of Accessibility Services entirely. It makes sense, but it really sucks because this move will kill the functionality of a lot of innovative apps.
What can developers do?
Unfortunately, there isn’t much developers can do in response to these changes. Developers can either comply with Google’s demands by removing their Accessibility Service or face the threat of their app being removed and their account possibly being terminated. Simply adding a disclosure for why their app uses a11y would only work if their app was legitimately aimed at assisting users with disabilities, which doesn’t describe most apps currently using a11y.