Google cracks down on apps that misuse accessibility features

A lot of legitimate apps like LastPass use Google's Accessibility Services.

Android's accessibility services are supposed help disabled folks by letting app-makers integrate spoken feedback, voice commands and more. However, developers like LastPass have been using the functions for other purposes like autofilling passwords and overlaying content. That gives them an easy way to read data from other apps like YouTube, but it also creates a potential security risk. Now, Google is telling app makers that they must show how accessibility code is helping disabled users or their apps will be removed from the Play Store within 30 days.

If you aren't already doing so, you must explain to users how your app is using the [accessibility service] to help users with disabilities use Android devices and apps. Apps that fail to meet this requirement within 30 days may be removed from Google Play. Alternatively, you can remove any requests for accessibility services within your app. You can also choose to unpublish your app

The policy enforcement could affect apps like LastPass, Tasker, Cereberus and Universal Copy that use accessibility code for key features not intended for handicapped users. "This is really bad news," Universal Copy's developer said on the Reddit Android Reddit. "We will have no other choice than un-publishing the app from the Play Store."

Tasker's developer said that it will have to replace the accessibility services with different code. That will disable some functionality, especially on older Android builds. "I plan to replace app detection with usage stats API," they wrote on a Google forum. "Unfortunately ... people using Tasker on a pre-Lollipop device won't be able to use app contexts anymore."

Google's accessibility restrictions appear to be part of a larger push to improve the security of apps in the Play Store. It recently implemented a new feature called Play Protect to scan apps and added a warning screen to block unverified apps. Accessibility services code can allow applications to access data in other apps, creating juicy security holes that hackers could exploit to steal private data.

The problem, say developers, is that Google never really had a clear policy restricting accessibility services. Because of that, there are now numerous apps that use them for other purposes, and 30 days is not a lot of time to find workarounds. We've reached out to Google for more information.