[Google] Remove Apps with Accessibility Services from the Play Store

What exactly is Google doing?

The Google company is informing developers that if their application uses an Accessibility Service for any reason other than assisting users with disabilities, then they must remove the use of this permission within 30 days or their application will be removed from the Play Store. Failure to abide by this requirement can result in an infraction against a developer’s Play Store account, which can eventually lead to account termination.

For the few apps that do use a11y to aid users with disabilities, Google states that these developers need to simply add a prominent, user-facing disclosure of the reason behind why their app needs the permission. However, as I mentioned before Accessibility Services are used far more often in apps that would end up violating this new policy

Email as below:

Hi Developers at ****,

We’re contacting you because your app, ****, with package name **** is requesting the ‘android.permission.BIND_ACCESSIBILITY_SERVICE.’ Apps requesting accessibility services should only be used to help users with disabilities use Android devices and apps. Your app must comply with our Permissions policy and the Prominent Disclosure requirements of our User Data policy.

Action required: If you aren’t already doing so, you must explain to users how your app is using the ‘android.permission.BIND_ACCESSIBILITY_SERVICE‘ to help users with disabilities use Android devices and apps. Apps that fail to meet this requirement within 30 days may be removed from Google Play. Alternatively, you can remove any requests for accessibility services within your app. You can also choose to unpublish your app.

If you need to make changes to your apps, please follow these steps:

  • Read through the Permissions and User Data policies for more details, and make sure your app complies with all policies listed in the Developer Program Policies.
  • If you don’t need the BIND_ACCESSIBILITY_SERVICE permission in your app or the permission is being used for something other than helping users with disabilities use Android devices and apps:
    1. Remove your request for this permission from your app’s manifest.
    2. Sign in to your Play Console and upload your modified, policy-compliant APK.
  • Or, if you need the BIND_ACCESSIBILITY_SERVICE permission in your app to help users with disabilities use Android devices and apps:
    1. Include the following snippet in your app’s store listing description: “This app uses Accessibility services.”
    2. Provide prominent user-facing disclosure of this usage before asking the user to enable this permission within your app. Your disclosure must meet each of the following requirements:
      • Disclosure must be provided via the android:summary and android:description elements of the AccessibilityServiceInfo class
      • Disclosure must describe the functionality that the Accessibility Service permission is enabling for your app. Each feature used with the Accessibility Service request must be declared in your disclosure with justification.

Alternatively, you can choose to unpublish the app.

All violations are tracked. Serious or repeated violations of any nature will result in the termination of your developer account, and investigation and possible termination of related Google accounts.

If you’ve reviewed the policy and feel we may have been in error, please reach out to our policy support team. One of my colleagues will get back to you within 2 business days.

Regards,

The Google Play Review Team

Why is Google removing Accessibility Services from the Play Store?

While the use of Accessibility Services are known to cause quite a bit of lag, the real reason why Google is starting to crack down on these apps is likely related to the growing issue of exploits that take advantage of a11y. Although the apps that I mentioned above use a11y for beneficial purposes, they can easily be exploited by malicious developers for nefarious purposes. For instance, an Accessibility Service can be used to implement a keylogger, ransomware attack, or phishing exploit.

Google’s efforts in protecting users from malicious Accessibility Services have mostly revolved around disclosure. Currently, enabling an Accessibility Service that registers for certain events such as TYPE_VIEW_TEXT_CHANGED will result in a warning dialog that the app may steal your passwords. You might think that such a message would be effective in preventing users from irresponsibly granting apps a11y. However, there have been plenty of documented cases of apps tricking users into granting a11y. Some attacks go even further, such as the Cloak and Dagger exploit and Toast Message Overlay attacks which socially engineer the user into granting a11y by misrepresenting what it is they are interacting with on the screen.

Attacks such as these are effective on the vast majority of Android devices. Google has made major strides in preventing overlay or toast message attacks (as can be seen in AOSP if you search for a11y), but things have gotten to the point where Google decided they are better off restricting the use of Accessibility Services entirely. It makes sense, but it really sucks because this move will kill the functionality of a lot of innovative apps.

What can developers do?

Unfortunately, there isn’t much developers can do in response to these changes. Developers can either comply with Google’s demands by removing their Accessibility Service or face the threat of their app being removed and their account possibly being terminated. Simply adding a disclosure for why their app uses a11y would only work if their app was legitimately aimed at assisting users with disabilities, which doesn’t describe most apps currently using a11y.

Leave a Reply

Your email address will not be published. Required fields are marked *