Tracking non-system accessibility services

      Technique summary
    Technique Tracking non-system accessibility services
    Against Malicious accessibility services
    Limitations Requires QUERY_ALL_PACKAGES privilege
    Side effects This technique will restrict any third-party accessibility service
    Recommendations Not recommended for regular use due to severe restrictions the technique imposes

    This technique is an extension of accessibility services allowlisting.

    A variation of the allowlisting method would be to track those applications with enabled accessibility services that are not installed in the device system image. For this, FLAG_SYSTEM can be checked for all the listed applications.

    Code snippet:

    private void inspectNonSystemA11yServices() { AccessibilityManager am =(AccessibilityManager) mContext. getSystemService(Context.ACCESSIBILITY_SERVICE); a11yServiceList = am.getEnabledAccessibilityServiceList(FEEDBACK_ALL_MASK); // (...) for (AccessibilityServiceInfo asi : a11yServiceList) { packageName = asi.getId().split("/")[0]; try { packageInfo = packageManager.getPackageInfo(packageName, PackageManager.GET_META_DATA); If ((packageInfo.applicationInfo.flags & ApplicationInfo.FLAG_SYSTEM)==0) { Log.d(TAG, "[!] app '" + packageName + "' has a11y and is not installed in device system image"); nonSystemA11yAppList.add(packageName); } // (...)



    Table of contents