Kindness is a Risky Business: On the Usage of the Accessibility APIs in Android

The assistive technologies have been integrated into nearly all mainstream operating systems, which assist users with disabilities or difficulties in operating their devices. On Android, Google provides app developers with the accessibility APIs to make their apps accessible. Previous research has demonstrated a variety of stealthy attacks could be launched by exploiting accessibility capabilities (with BIND_ACCESSIBILITY_SERVICE permission granted). However, none of them systematically studied the underlying design of the Android accessibility framework, making the security implications of deploying accessibility features not fully understood.

In this paper, we make the first attempt to systemically evaluate the usage of the accessibility APIs and the design of their supporting architecture. Through code review and a large-scale app scanning study, we find the accessibility APIs have been misused widely. Further, we identify a series of fundamental design shortcomings of the Android accessibility framework: (1) no restriction on the purposes of using the accessibility APIs; (2) no strong guarantee to the integrity of accessibility event processing; (3) no restriction on the properties of custom accessibility events. Based on these observations, we demonstrate two practical attacks—installation hijacking and notification phishing—as showcases. As a result, tens of millions of users are under these threats. The flaws and attack cases described in this paper have been responsibly reported to the Android security team and the corresponding vendors. Besides, we propose some improvement recommendations to mitigate those security threats.