Google is introducing a change with Android 13 that will prevent sideloaded apps from abusing the Accessibility APIs. The Restricted Setting feature will block the user from enabling the accessibility service for malicious applications. Upon identifying such an app, the Accessibility settings for that app will become inaccessible, and users will see a "Restricted setting" dialog stating that the setting is currently unavailable. But that's not all there is to the new feature.

According to Mishaal Rahman, the Restricted setting feature will also block users from enabling an app's Notification Listener. For the unaware, Android's NotificationListenerService API lets apps intercept and interact with all notifications on a user's behalf. If a malicious app gets access to the API, it can read all incoming notifications and get access to sensitive information. Android 13's Restricted setting feature prevents that for all apps sideloaded using a non-session-based package installer.

Since most app stores use the session-based package installer, this restriction won't apply to apps downloaded from app stores. It will only block apps that users sideload from outside of app stores, like through a browser or messaging app. However, there is a workaround to prevent the feature from blocking access for sideloaded apps.

Rahman notes that it's "possible to acknowledge the restricted setting dialog and then re-enable access" to the Accessibility settings. You can learn more about the workaround in this blog post.


Featured image credit: Mishaal Rahman