Android’s accessibility services are designed to help users with disabilities, but the set of tools is so powerful that other apps often use it to enable compelling features. Unfortunately, accessibility services are often also portals for malware to take control of phones or gain access to personal data. In Android 13, Google is further cracking down on access to accessibility services, making it harder for sideloaded apps to gain access.
Android 13 introduces new restrictions on sideloading apps that prevent users from granting them access to accessibility services. Given that many phishing and malware attacks work by tricking users into installing APKs from outside the app store, this could make it harder for bad actors to hijack an unsuspecting user’s phone.
Google isn’t completely preventing sideloaded apps from using accessibility services, though. Once in the dialog stating that accessibility services for the app in question are restricted, you can activate access via the “Allow restricted settings” menu entry under the app info screen in the top right corner. This appears to be a vulnerability that malicious apps could circumvent by instructing users to enable restricted settings. So it’s still possible that Google will change this behaviour before stable Android 13 goes live.
Gizchina News of the week
Android 13 still supports sideloading apps
The new rules affect apps that users also have on the Play Store. When we sideload an older version of Sleep as Android from APK Mirror, which used accessibility services to prevent turning off the phone when trying to turn off the alarm, the accessibility services remain inactive. This did not go away even after updating it to the latest version available through the Play Store.
Users can still access accessibility services in Android 13 Beta 1 using the workaround described earlier. However, it’s an extra step for those who sideloaded apps to the latest state before the Play Store rollout. It’s also important to note that Google only restricts sideloading apps. If you use an alternative app distribution platform, you won’t run into accessibility restrictions. The likes of F-Droid or the Amazon App Store will not have any restrictions. Google may consider apps in the App Store to be at least somewhat free of malicious content.
At the same time, by default, apps distributed in the Google Play Store cannot use accessibility services at all. They can only use it if they are specifically for accessibility services. Developers can go through the lengthy process to prove to Google that their apps are good. In this case, they can still ask for exemptions. Nevertheless, in general, Google strongly discourages the use of accessibility services. In fact, call recording apps are the latest to feel these limitations, and Google no longer allows them to use the accessibility service to record phone calls.