Android 17 introduces a new security feature in Advanced Protection Mode (AAPM) that blocks apps without accessibility functions from accessing the Accessibility API, according to reports from Android Authority and details included in the Android 17 Beta 2 release.
The change is designed to prevent malware from abusing accessibility services to spy on users, steal sensitive information, or take control of devices.
Accessibility API Abuse Has Been A Known Malware Vector
The AccessibilityService API allows apps to interact deeply with the Android interface so people with disabilities can navigate and control their devices.
Apps built specifically for accessibility can declare the isAccessibilityTool attribute and are exempt from some disclosure requirements.
However, the same capabilities have been exploited by malicious software. In previous cases, malware has used accessibility services to read screen content, capture keystrokes, click buttons automatically, grant permissions to itself, and steal sensitive data such as banking credentials.
Because accessibility services can control the user interface, attackers have also used them to install additional malware, perform fraudulent transactions, and bypass security prompts.
Advanced Protection Mode Tightens Device Security
Under the new Advanced Protection Mode, Android will restrict the Accessibility Services API so that only verified accessibility tools marked with isAccessibilityTool="true" can use it.
According to Google, the feature is optional and can be activated by users through a single configuration setting that applies a stricter security profile.
These protections include blocking app installation from unknown sources, limiting USB data access, and requiring device scans through Google Play Protect.
Developers can also detect when the mode is active using the AdvancedProtectionManager API, allowing apps to automatically enable stronger security controls or restrict high-risk features when Advanced Protection Mode is enabled.
Only Verified Accessibility Tools Are Allowed
Google said that only tools designed specifically for accessibility purposes will qualify for the new exemption.
Examples include screen readers, switch-input systems, voice input tools, and Braille access applications.
Other types of apps that previously relied on accessibility services, such as antivirus tools, automation apps, assistants, cleaners, password managers, and launchers, will not qualify as accessibility tools under the new policy.
Android 17 Also Introduces A Privacy-Focused Contacts Picker
Android 17 also includes a redesigned contacts picker intended to give users more control over how apps access their personal data.
Instead of requesting full access to the address book through the READ_CONTACTS permission, apps can request only specific contact fields such as phone numbers or email addresses.
Users can then choose exactly which contacts to share with the requesting app.
Google said the standardized interface also includes built-in search, profile switching, and multi-selection features, allowing developers to integrate contact sharing without building their own interface.
The change is intended to reduce unnecessary data exposure while maintaining a consistent user experience across Android apps.
Featured image credits: Flickr
For more stories like it, click the +Follow button at the top of this page to follow us.