CISPA
Browse

A11y and Privacy don't have to be mutually exclusive: Constraining Accessibility Service Misuse on Android

Download (599.13 kB)
conference contribution
posted on 2023-11-29, 18:16 authored by Jie Huang, Michael BackesMichael Backes, Sven BugielSven Bugiel
Accessibility features of Android are crucial in assisting people with disabilities or impairment to navigate their devices. However, the same, powerful features are commonly misused by shady apps for malevolent purposes, such as stealing data from other apps. Unfortunately, existing defenses do not allow apps to protect themselves and at the same time to be fully inclusive to users with accessibility needs. To enhance the privacy protection of the user while preserving the accessibility features for assistive apps, we introduce an extension to Android’s accessibility framework. Our design is based on a study of how accessibility features are used in 95 existing accessibility apps of different types (malware, utility, and a11y). Based on those insights, we propose to model the usage of the accessibility framework as a pipeline of code modules, which are all sandboxed on the system-side. By policing the data flows of those modules, we achieve a more fine-grained control over the access to accessibility features and the way they are used in apps, allowing a balance between accessibility functionality for dependent users and reduced privacy risks. We demonstrate the feasibility of our solution by migrating two real-world apps to our privacy-enhanced accessibility framework.

History

Preferred Citation

Jie Huang, Michael Backes and Sven Bugiel. A11y and Privacy don't have to be mutually exclusive: Constraining Accessibility Service Misuse on Android. In: Usenix Security Symposium (USENIX-Security). 2021.

Primary Research Area

  • Secure Connected and Mobile Systems

Name of Conference

Usenix Security Symposium (USENIX-Security)

Legacy Posted Date

2021-04-30

Open Access Type

  • Gold

BibTeX

@inproceedings{cispa_all_3393, title = "A11y and Privacy don't have to be mutually exclusive: Constraining Accessibility Service Misuse on Android", author = "Huang, Jie and Backes, Michael and Bugiel, Sven", booktitle="{Usenix Security Symposium (USENIX-Security)}", year="2021", }

Usage metrics

    Categories

    No categories selected

    Exports

    RefWorks
    BibTeX
    Ref. manager
    Endnote
    DataCite
    NLM
    DC