Kindness is a Risky Business: On the Usage of the Accessibility APIs in Android

Authors: 

Wenrui Diao, Shandong University; Yue Zhang and Li Zhang, Jinan University; Zhou Li, University of California, Irvine; Fenghao Xu, The Chinese University of Hong Kong; Xiaorui Pan, Indiana University Bloomington; Xiangyu Liu, Alibaba Inc.; Jian Weng, Jinan University; Kehuan Zhang, The Chinese University of Hong Kong; XiaoFeng Wang, Indiana University Bloomington

Abstract: 

The assistive technologies have been integrated into nearly all mainstream operating systems, which assist users with disabilities or difficulties in operating their devices. On Android, Google provides app developers with the accessibility APIs to make their apps accessible. Previous research has demonstrated a variety of stealthy attacks could be launched by exploiting accessibility capabilities (with BIND_ACCESSIBILITY_SERVICE permission granted). However, none of them systematically studied the underlying design of the Android accessibility framework, making the security implications of deploying accessibility features not fully understood.

In this paper, we make the first attempt to systemically evaluate the usage of the accessibility APIs and the design of their supporting architecture. Through code review and a large-scale app scanning study, we find the accessibility APIs have been misused widely. Further, we identify a series of fundamental design shortcomings of the Android accessibility framework: (1) no restriction on the purposes of using the accessibility APIs; (2) no strong guarantee to the integrity of accessibility event processing; (3) no restriction on the properties of custom accessibility events. Based on these observations, we demonstrate two practical attacks—installation hijacking and notification phishing—as showcases. As a result, tens of millions of users are under these threats. The flaws and attack cases described in this paper have been responsibly reported to the Android security team and the corresponding vendors. Besides, we propose some improvement recommendations to mitigate those security threats.

Open Access Media

USENIX is committed to Open Access to the research presented at our events. Papers and proceedings are freely available to everyone once the event begins. Any video, audio, and/or slides that are posted after the event are also free and open to everyone. Support USENIX and our commitment to Open Access.

BibTeX
@inproceedings {242044,
author = {Wenrui Diao and Yue Zhang and Li Zhang and Zhou Li and Fenghao Xu and Xiaorui Pan and Xiangyu Liu and Jian Weng and Kehuan Zhang and XiaoFeng Wang},
title = {Kindness is a Risky Business: On the Usage of the Accessibility APIs in Android },
booktitle = {22nd International Symposium on Research in Attacks, Intrusions and Defenses ({RAID} 2019)},
year = {2019},
isbn = {978-1-939133-07-6},
address = {Chaoyang District, Beijing},
pages = {261--275},
url = {https://www.usenix.org/conference/raid2019/presentation/diao},
publisher = {{USENIX} Association},
month = sep,
}