Security issues with Android Accessibility
There is a pretty famous app in India known as Voodoo. What it does is it reads text from certain e-commerce apps and then compares it across other platforms and then shows you best options to buy. A lot of other apps also ask for this Accessibility permission. Reading screen text is a area which developers rarely touch and care about but this can cause to a major security loophole in your app.
So to begin with, Voodoo asks the users for the accessibility permission in order to work. Now the accessibility permission is tricky. It says the app can read text from the screen. But the users assume all the sensitive fields are blocked from the accessibility scope. This is where developers have to take care of.
There is a new login design widely used these days in which users are given an option to show or hide the password while typing or before submitting. Now all the views emit Accessibility events and an app with the accessibility permissions can receive those events and can get access to some crucial information. For a Text-Field(EditText in android) one can get the id Of the view,the activity where the view is and the “Text typed on the Text-Field”.
This issue is a problem as really big tech companies(e.g Flipkart and paytm) are vulnerable to this issue.Even your WhatsApp. Here are some screenshots of this issue in action.
So the issue here is the text on text fields with input type set as password are default set to null but in order to show the text some apps set the input type to normal on user action and end up exposing the password. Since it emits the view’s id and we can know the current screen it’s easy to get the user’s sensitive information.
Since Marshmallow in some cases the ID can be null but still one can figure out the activity name and from all the get all the text printed on a screen launch and get the credentials easily
I have made a sample app which you can downlaod from this github repo(Inside APK folder).This app need accessibility permission to work. With accessibility permission it prints all the readable texts on it’s own UI.
This can be harmful as the users are currently unaware of the implications of accessibility permission and assume that sensitive information will anyways be hidden even to the apps with accessibility permission. So it’s up to the developers to handle these scenarios. Well it’s fairly simple.
ViewCompat.setImportantForAccessibility(your_view,
ViewCompat.IMPORTANT_FOR_ACCESSIBILITY_NO);As per the responses to this post by Alan Viverette and Ataul Munim doing this will stop legitimate accessibility apps like Talkback to access these views. So for visually impaired users it will be hard to use these fields. Ataul Munim suggests another approach which warns the user if any other accessibility service is running. So you can consider using that as well.
But considering the major app user audience and the any other apps which ask for accessibility which can not be trusted this fix suggested can help.So use this fix with caution.
