Android 17 Opens Advanced Protection and Locates Accessibility API for Unauthorized Apps

Google is testing an additional security measure within the Android Advanced Protection mode (AAPM) that limits access to the API of accessibility services for applications that are not specifically designed to help people with disabilities. The novelty appeared on the Beta 2 of Android 17 and has attracted attention because it reduces an attack surface that, in recent years, has been used by malicious actors to steal sensitive data.

The Advanced Protection mode, introduced with Android 16 as an opt-in option for at-risk users - journalists, activists or executives, for example - puts the device in a strengthened security state that sacrifices some amenities to minimize attack vectors. If you want to know how it works and what blocks this mode applies, Google has official documentation explaining its actions and limitations on its support page and in the documentation for developers: Android support on AAPM and the technical guide in evooper.android.com.

The restriction being tested on Android 17 blocks the use of the AccessibilityService API by applications that are not formally declared as accessibility tools. For an app to maintain that permit while the AAPM mode is active, you must carry the indicator isAccessibilityTool = "true" in its configuration and also meet the categories that Google recognizes as legitimate: screen readers, switch input systems, voice input tools and Braille solutions. Tools such as antivirus, automators, assistants, cleaners, password managers or launchers do not fall into this classification and would therefore see their limited capabilities when AAPM is activated. More details on how accessibility apps are identified are available in the Google developer guide and in the Play policy center: AccessibilityService guide and documentation on isAccessibilityTool.

The reason for this decision is clear: although the Accessibility Services API has legitimate and valuable uses for users with special needs, it has also been abused by malicious applications to capture on-screen information, intercept events and exfilter credentials. By automatically disable the accessibility permissions for apps that are not accessibility tools when AAPM is active, Google intends to close a vector that has been frequently exploited. In addition, while the mode is on, users may not manually grant such permission to unauthorized applications, adding an additional protection layer.

For developers, Google suggests integrating AAPM status detection using its advanced protection management API, so that applications can adapt their behavior when the user has opted for that higher security profile. The API and its recommendations are found in the official technical documentation: Advanced ProtectionManager. This allows, for example, to deactivate high-risk functionalities or redirect to flows that do not require access to the accessibility API where appropriate.

Another novelty included in Android 17 is a more granular contact selector that allows applications to ask only for access to the fields they really need, such as phones or emails, or let the user select specific contacts without exposing the full notebook. According to Google, this new approach offers a uniform user experience - with integrated search, profile change and multiple selection - and reduces data exposure by limiting reading to what is strictly necessary. The explanation of this functionality is part of the Android 17 news summary on the official site: Android functions 17.

In practice, these measures represent a balance: users who prioritize security obtain stronger protection against known information theft techniques, at the cost of some applications losing functions that depend on the accessibility API. For most users that will probably not be a problem, but for organizations and developers that offer legitimate services based on accessibility it will be necessary to verify that they meet Google requirements and, if appropriate, adapt their apps.

If you are concerned about the risk of exposure of your data and are a user more likely to be targeted for targeted attacks, activating the Advanced Protection mode can be a sensible measure. If you are a developer, check Google's documentation to make sure your application correctly declares its purpose and uses the recommended APIs to detect and respect the status of AAPM. To follow the media and technical coverage of this update you can read the initial Android Authority report on the Android Beta 2 17: Android Authority in addition to the official sources listed above.

In short, the changes on Android 17 show a clear commitment to harden the platform against known abuses, strengthening protection for high-risk users and pushing industry to clearly separate tools that offer legitimate accessibility from utilities that, although practical, should not have access without additional controls.