For years, Android has allowed apps to modify the behavior of other applications, using Accessibility Services. While the intended purpose is for developers to create apps for users with disabilities, the API is often used for other functionality (to overlay content, fill in text fields, etc.). LastPass, Button Mapper, Signal Spy, Tasker, and Greenify are just a few examples of applications heavily using this API.
While Accessibility Services can greatly extend the functionality of applications, they can potentially create a security risk. Once granted the right permissions, the API can be used to read data from other apps. Likely for this reason, Google has sent emails to app developers regarding the usage of Accessibility Services. The developer of BatterySaver received this message:
We’re contacting you because your app, BatterySaver System Shortcut, with package name com.floriandraschbacher.batterysaver.free is requesting the ‘android.permission.BIND_ACCESSIBILITY_SERVICE.’ Apps requesting accessibility services should only be used to help users with disabilities use Android devices and apps. Your app must comply with our Permissions policy and the Prominent Disclosure requirements of our User Data policy.
Action required: If you aren’t already doing so, you must explain to users how your app is using the ‘android.permission.BIND_ACCESSIBILITY_SERVICE’ to help users with disabilities use Android devices and apps. Apps that fail to meet this requirement within 30 days may be removed from Google Play. Alternatively, you can remove any requests for accessibility services within your app. You can also choose to unpublish your app.
Alternatively, you can choose to unpublish the app.
All violations are tracked. Serious or repeated violations of any nature will result in the termination of your developer account, and investigation and possible termination of related Google accounts.
If you’ve reviewed the policy and feel we may have been in error, please reach out to our policy support team. One of my colleagues will get back to you within 2 business days.
The Google Play Review Team
Several other developers have told us they received this email, and there is a Reddit thread full of additional reports. This means many apps will have to severely degrade their functionality if they wish to remain on the Play Store, unless they can convince Google that users with disabilities benefit from them. Some applications, like LastPass, entirely rely on this API and can't function without it.
The developer of AutoTools, Joao Dias, told us this:
"Like the other policy that basically says that 'apps that crash violate developer policy and can be taken down' this new statement is too vague. If we take this literally then even an app that’s meant to be used by disabled people can be banned because it allows users that are not disabled to use it. There’s no way an app can enforce that. Is an app like AutoInput (an app that helps a lot of disabled folks) not allowed because a lot of non-disabled people can benefit from it too? There’s no way to tell."
This could have major ramifications for hundreds of apps, especially ones intended for customization or power users. We've reached out to Google for comment, and we will update this post when they respond.
- Everyone who sent this in