Wednesday, November 15, 2017

Some thoughts on Google's move to restrict accessibility service

In the last couple of days, many reports (see XDA developers, The Hacker News) appeared about Google emailing apps developers about new restriction affecting the Android accessibility service (a11y, in short). The gist: in 30 days, apps should use a11y only to implement features to assist users with disabilities; Apps misusing a11y (even for benign purposes) will get kicked out from the store.

I am one of the many researchers that showed how a11y poses severe issues for Android security. I did it by showing how you could mount a number of devastating attacks, and other researchers recently found real-world malware abusing them (see Zimperium's post on Clicking Bot Apps, or TrendMicro's post on a11y abuse).

It has been a community effort, and Google is finally taking actions. But I don't understand how this Google's move is going to help the ecosystem. Here there are my thoughts.

The good guys and the ecosystem are negatively affected

  • Many popular apps use a11y. Apps like LastPass, antivirus apps, app lockers, they all use a11y to (hackishly) implement features that it would be otherwise impossible to implement. Among the apps we looked at, none use a11y to assist people with disabilities. 
  • The good guys *need* to comply with the new policy: there are companies behind these products, and they can't afford to mess with Google. Either they adapt, or their apps are out of the store.
  • If the policy will actually be enforced, some apps are damaged but are still somehow usable (like LastPass: people can always copy/paste their passwords 'manually'), but other apps will need to shutdown.
  • As a reaction, I fear that the good guys may start offering "if you want all our a11y-backed features, please download the APK from our website." This direction is bad. It will push users to unsafe behaviors: if people get used to "install an APK from a website," many more people will have 'side loading' enabled, and phishing websites will have more chances to lure users to install malicious repackaged apps ("which website should I visit to get the latest version of XYZ?") -- after all, it is "OK" to install random APKs from a website. The lack of a centralized 'store' is how tons of Windows users end up with crap on their machines. The Play Store is far from being malware-free, but it's much better than having users Googling for 'the right website' to get app XYZ.

Bad guys probably don't care much

  • The bad guys hosting apps on the Play Store will just need to find an excuse to claim "we use a11y for assisting people with disabilities." How can Google check if they are lying?
  • Given the latest news on WhatsApp/Facebook clones (see Motherboard article), it's clear that Google is currently lagging behind effective malware detection tools: a single researcher was able to find all these clones, without having access to Google's infrastructure. Now, this 'clone detection task' may be difficult, but I argue it is much simpler than determining the intent of a11y features from a behavioral point of view. So how Google will be able to determine, at scale, whether a a11y feature is ok or not, is a mystery to me.
  • Many apps are already installed from third-party markets (especially outside the US). Bad guys hosting their malware there are not affected.

Can't LastPass use the new AutoFill API?

Yes. But, unfortunately, the AutoFill API is only available in Android's latest version, Android O, which, according to Google's dashboard, only 0.3% of devices currently run. Yesterday LastPass published a short blog post, where they state that "they are working with Google." The post says that there is "no immediate impact to our Android users". Well, we knew already that the kickout party will be in ~30 days, so this doesn't say much. I hope they will find a deal.

Can't Google add a backward-compatibility layer for older versions?

Without modifying the framework, I have no idea how they could do it. Tricks you can do with a11y clearly bypass many security barriers. *If* there is a way to do this without framework modifications, then we'll see more papers on how to abuse this ;-) If there is no way to do it, then we need framework modifications. Which millions of devices will never see anyways. Auch.

What's Google's plan?

Honestly, I have no idea. I somehow hope that Google will actually be quite lenient with well known apps. But how can they select which apps are OK? Do they need to have 1M+ installs? How do you set the threshold? I don't know. Don't get me wrong, there are tons of super smart folks working at Google. I'm sure they have a plan. Here I'm just saying, I have no idea what's going on :-)


It turns out that the Android folks changed their minds. According to this report on ArsTechnica, Google paused its decision to ban a11y-related apps for another 30 days while it considers responsible uses of accessibility services.

1 comment: