Android 14 is loaded with plenty of new features, and we're trying out all the latest ones right now, following the release of the first public beta this week. The update also includes wonderful accessibility improvements, like better high-contrast text that works with Material You. Sadly, the Accessibility API is also frequently misused by hackers, like those behind infamous Android malware like Nexus and Cerberus. Thankfully, with Android 14, Google has a new trick up its sleeve to prevent these bad actors from stealing your personal data.

Accessibility services rely on the API to make Android easier to use for people with disabilities, often by performing multiple actions with lesser user input. Noteworthy examples include TalkBack, Voice Access, and Select to Speak, but individual apps can have their own services too.

To get the job done, accessibility services use elevated permissions, like access to read on-screen content from other apps. But the same Accessibility API that makes a screen reader possible could also let Android malware read and steal two-factor authentication codes. This method has even compromised secure 2FA code delivery through apps like Google Authenticator.

Android expert Mishaal Rahman explains that Android 14 introduces a new attribute apps can use, preventing potentially malicious accessibility tools from accessing security-critical screens, such as those displaying 2FA codes. Android also prevents easily enabling accessibility services for an app manually sideloaded from outside an app store. This system goes out o fits way to warn users, so they can make sure they trust the app and actually want to install its accessibility service — hopefully preventing potential API misuse by hackers.

Rahman notes that Accessibility API usage blocking methods have changed a little from Android 14 Developer Preview 2 to the first public beta build. Although the feature works the same way, it's a bit smarter in the new beta, allowing the Android system to decide if data is sensitive and automatically block accessibility services. There are also some properties app developers can set to disable accessibility services.

This implementation allows accessibility features like TalkBack to work, but blocks potentially malicious services from sideloaded apps, which could steal 2FA codes. The automatic setting in the beta should also make Android inherently more secure, even if individual app developers don’t put in the effort to use the new provisions.

While Google deserves credit for its work, it is important to remember that no failsafe can help if you’re not careful operating your Android device. Most security measures are mere deterrents, and hackers will eventually find another way to get to you. So stay vigilant, and always install applications only from reputable sources like the Google Play Store and APKMirror.