Request pricing
En
    Request pricing

    Login

      Tracking non-system accessibility services

        Technique summary
      Technique Tracking non-system accessibility services
      Against Malicious accessibility services
      Limitations Requires QUERY_ALL_PACKAGES privilege
      Side effects This technique will restrict any third-party accessibility service
      Recommendations Not recommended for regular use due to severe restrictions the technique imposes

      This technique is an extension of accessibility services allowlisting.

      A variation of the allowlisting method would be to track those applications with enabled accessibility services that are not installed in the device system image. For this, FLAG_SYSTEM can be checked for all the listed applications.

      Code snippet:

      private List<String> getListOfNonSystemEnabledAccessibilityServices(Context context) { List<AccessibilityServiceInfo> a11yServiceList = getListOfEnabledA11yServices(context); List<String> nonSystemA11yAppList = new ArrayList<>(); String packageName; PackageManager packageManager = context.getPackageManager(); PackageInfo packageInfo; for (AccessibilityServiceInfo asi : a11yServiceList) { packageName = asi.getId().split("/")[0]; try { packageInfo = packageManager.getPackageInfo(packageName, PackageManager.GET_META_DATA); if ((packageInfo.applicationInfo.flags & ApplicationInfo.FLAG_SYSTEM) == 0) { Log.d("APP_INSPECTOR", "[!] app '" + packageName + "' has a11y and is not installed in device system image"); nonSystemA11yAppList.add(packageName); } } catch(PackageManager.NameNotFoundException e) { // (...) } } return nonSystemA11yAppList; } private fun getListOfNonSystemEnabledAccessibilityServices(context: Context): List<String> { val a11yServiceList = getListOfEnabledA11yServices(context) val nonSystemA11yAppList: MutableList<String> = ArrayList() var packageName: String val packageManager = context.packageManager var packageInfo: PackageInfo for (asi in a11yServiceList) { packageName = asi.id.split("/").first() try { packageInfo = packageManager.getPackageInfo( packageName, PackageManager.GET_META_DATA ) if (packageInfo.applicationInfo.flags and ApplicationInfo.FLAG_SYSTEM == 0 ) { Log.d("APP_INSPECTOR", "[!] app '$packageName' has a11y and is not installed in device system image") nonSystemA11yAppList.add(packageName) } } catch (e: PackageManager.NameNotFoundException) { // (...) } } return nonSystemA11yAppList }

       

      Guardsquare

      Table of contents