Android 13 introduces new restrictions, malware will not be able to use accessibility APIs

The Accessibility API on Android devices is a very powerful tool. Google designed this API to allow developers to use it to build corresponding assistive applications for people with disabilities, so that people with disabilities can also use these modern devices and services conveniently. The Accessibility API allows applications to read screen content and perform input on behalf of users. Today, many screen readers and alternative input systems are using this API.

But while the Accessibility API provides convenient features, it also opens the door to malicious apps that want to steal data from users. This is one reason why Google has been tightening its policies on apps using the Accessibility API. In Android 13, Google has further tightened its policies and will strictly limit user access to the Accessibility API for apps installed outside the app store.

First of all, it should be pointed out that in Android 13, users can still choose to install applications from outside the Google Play Store, and the new restrictions will not make this feature disappear from Android phones. However, starting with Android 13, Google will not allow applications installed from unverified external sources to use the Accessibility API.

Google did not "kill" all applications installed from external sources with one stick. This restriction does not target applications downloaded from legitimate sources (such as Google's own official app store Google Play Store, and F-Droid, which has a verified source). The latest policy only affects APK files that users obtain from untrustworthy sources. This is because applications obtained through unverified channels can disguise themselves as a benign service and use the Accessibility API to steal users' confidential data.

Google stated in a statement that the new restrictions of the Android 13 system will not allow users to manually enable accessibility permissions for specific apps when such apps are restricted. In this case, if the user still chooses to grant access, the system will display an error message and prompt "For your security, this setting is currently unavailable" (as shown in the figure above).