Android 13 is getting new sideloading restrictions, but they are good. | #android | #security | #education | #technology | #infosec



TL;DR

  • Google is introducing new restrictions on sideloaded apps with Android 13.
  • Users won’t be able to give accessibility permissions to these apps.
  • The idea is to stop apps from less legitimate sources to misuse the API and scam users.

Android 13 will bring new restrictions on sideloaded apps. No, sideloading is not going away from Android phones. Google just wants to make it safer to sideload apps so bad actors can’t misuse them and inject malware into your devices.

According to Mishaal Rahman, Senior Technical Editor at Esper, Google won’t allow sideloaded apps to use the Accessibility API starting with Android 13.

Many Play Store and third-party apps use the Accessibility API to provide useful features. For Instance, TalkBack, the Google screenreader included on Android devices, uses the Accessibility API to read the contents on the screen on behalf of those who have vision problems.

However, the API can also be misused since it gives an app full control of your device. If you’ve ever installed an app that uses the Accessibility API, you would have noticed a prompt warning you that the app will be granted the ability to “view and control the screen” and “view and perform actions” on your behalf.

Because of the powerful nature of the Accessibility API, Google has been cracking down on its use for many years now. The most recent example is when the company changed its Play Store policies to restrict all call recording apps from accessing the API. In this case, Google said that the “Accessibility API is not designed and cannot be requested for remote call audio recording.” Developers have till May 11 to comply with Google’s policy.

Android 13’s restrictions are a bit different, though. They don’t target apps downloaded or sideloaded from a legitimate source such as the Google Play Store or F-Droid. They only affect user-acquired APK files from sources that arent trustworthy. That’s because an app can disguise itself as a well-intentioned service and use the Accessibility API to steal confidential user data.

Google told Esper that Android 13 might block users from granting accessibility permissions to a sideloaded app. When the restriction is applied, the service will be grayed out, and tapping it will bring up a prompt saying, “for your security, this setting is currently unavailable.” The system will determine whether an app has come from an app store or another source during installation.



Source link