Android 17 Beta 2 Tightens Security, Restricting Accessibility API Access

Google is bolstering Android security with the release of Android 17 Beta 2, introducing stricter controls over the AccessibilityService API. This change, part of the Advanced Protection Mode, aims to prevent malicious apps from exploiting accessibility features while potentially impacting the functionality of legitimate automation and customization tools.

What is Changing with Android 17 Beta 2?

Android 17 Beta 2 now restricts apps not officially classified as accessibility tools from accessing the AccessibilityService API when Advanced Protection Mode is enabled. Previously, apps could utilize this API for functions beyond assisting users with disabilities, a practice increasingly exploited by malware. The update blocks new permission grants and revokes existing ones for non-accessibility apps while Advanced Protection is active. Android Authority first reported on the changes.

Why is the AccessibilityService API a Security Concern?

The AccessibilityService API is designed to facilitate users with disabilities interact with their devices through features like screen readers and switch-based input systems. Though, its powerful capabilities have been repeatedly misused by malicious actors. Beebom highlights that malware, such as the Anatsa banking Trojan and Copybara, has leveraged this API to steal login credentials and sensitive information.

Impact on Users and Apps

Enabling Advanced Protection Mode in Android 17 Beta 2 may cause issues with apps that rely on the AccessibilityService API for non-accessibility functions. This includes:

• Automation tools like Tasker
• Customization apps
• Certain launchers, such as SmartLauncher
• Overlay and customization applications

Users encountering restrictions will receive a prompt informing them that the app is “Restricted by Advanced Security” and offering the option to disable Advanced Protection. CCStartup details this user experience.

Legitimate Accessibility Tools are Exempt

Google clarifies that apps specifically designed and declared as accessibility tools will remain unaffected. These apps must have a valid declaration to be exempted from the restrictions. FindArticles emphasizes that genuine assistive technologies will continue to function normally.

A History of Addressing Accessibility Abuse

Google has been aware of the misuse of the AccessibilityService API for years. In 2017, the company threatened to remove apps from the Play Store that abused the API, but this threat has not been consistently enforced. The current changes in Android 17 Beta 2 represent a more assertive approach to securing the platform.

Advanced Protection Mode: A Broader Security Strategy

Advanced Protection Mode was initially introduced in Android 16 as a one-tap security feature for users seeking stronger protection against attacks and harmful apps. Android 17 Beta 2’s update builds upon this foundation, making it a more effective shield against accessibility-based abuse.