Google is testing a new security feature as part of Android Advanced Protection Mode (AAPM) that prevents certain kinds of apps from using the accessibility services API.
The change, incorporated in Android 17 Beta 2, was first reported by Android Authority last week.
AAPM was introduced by Google in Android 16, released last year. When enabled, it causes the device to enter a heightened security state to guard against sophisticated cyber attacks. Like Apple’s Lockdown Mode, the opt-in feature prioritizes security at the cost of diminished functionality and usability so as to minimize the attack surface.
Some of the core configurations include blocking app installation from unknown sources, restricting USB data signaling, and mandating Google Play Protect scanning.
“Developers can integrate with this feature using the AdvancedProtectionManager API to detect the mode’s status, enabling applications to automatically adopt a hardened security posture or restrict high-risk functionality when a user has opted in,” Google noted in its documentation outlining Android 17’s features.
The latest restriction added to the one-tap security setting aims to prevent apps that are not classified as accessibility tools from being able to leverage the operating system’s accessibility services API. Verified accessibility tools, identified by the isAccessibilityTool=”true” flag, are exempted from this rule.
According to Google, only screen readers, switch-based input systems, voice-based input tools, and Braille-based access programs are designated as accessibility tools. Antivirus software, automation tools, assistants, monitoring apps, cleaners, password managers, and launchers do not fall under this category.
While AccessibilityService has its legitimate use cases, such as assisting users with disabilities in using Android devices and apps, the API has been extensively abused by bad actors in recent years to steal sensitive data from compromised Android devices.
With the latest change, any non-accessibility app that already has the permission will have its privileges automatically revoked when AAPM is active. Users will also not be able to grant apps permissions to the API unless the setting is turned off.
Android 17 also comes with a new contacts picker that allows app developers to specify only the fields they want to access from a user’s contact list (e.g., phone numbers or email addresses) or allow users to share certain contacts with a third-party app.
“This grants your app read access to only the selected data, ensuring granular control while providing a consistent user experience with built-in search, profile switching, and multi-selection capabilities without having to build or maintain the UI,” Google said.
