Tracking Non-system Accessibility Services | Guardsquare

Written by Guardsquare | Feb 13, 2024 6:15:04 PM

	Technique summary
Technique	Tracking non-system accessibility services
Against	Malicious accessibility services
Limitations	API Level ≥ 34 (Android ≥14), requires `QUERY_ALL_PACKAGES` privilege
Side effects	This technique will restrict any third-party accessibility service
Recommendations	Not recommended for regular use due to severe restrictions the technique imposes.

This technique is an extension of accessibility services allow-listing.

A variation of the allow-listing method would be to track those applications with enabled accessibility services that are not installed in the device system image. For this, FLAG_SYSTEM can be checked for all the listed applications.

Code snippet:

private void inspectNonSystemA11yServices() { AccessibilityManager am =(AccessibilityManager) mContext. getSystemService(Context.ACCESSIBILITY_SERVICE); a11yServiceList = am.getEnabledAccessibilityServiceList(FEEDBACK_ALL_MASK); // (...) for (AccessibilityServiceInfo asi : a11yServiceList) { packageName = asi.getId().split("/")[0]; try { packageInfo = packageManager.getPackageInfo(packageName, PackageManager.GET_META_DATA); If ((packageInfo.applicationInfo.flags & ApplicationInfo.FLAG_SYSTEM)==0) { Log.d(TAG, "[!] app '" + packageName + "' has a11y and is not installed in device system image"); nonSystemA11yAppList.add(packageName); } // (...)

View full post