Skip to content

Passwords should be invisible to the accessibility services #15

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Passwords should be invisible to the accessibility services #15

wants to merge 1 commit into from

Conversation

mohammadnaseri
Copy link

Due to recent attacks, malicious apps that are using the accessibility service can capture all user inputs. In this case, the passwords should be ignored for the accessibility service, so such attacks cannot happen. This is done by our research project in CISPA, Saarland University, Germany.

@sorz
Copy link
Owner

sorz commented Aug 12, 2018

Hi, can you give more information about this issue?

Is it considered a defect in the Android framework/system itself? Since the system should know well that the input field may contain password. (It already has android:inputType="textPassword")

Does this fix affect any normal usage of the accessibility service, such as a screen reader?

Thanks.

@mohammadnaseri
Copy link
Author

The problem is as follows when there are enabled accessibility services on the device. Then all those apps can actually receive whatever user enters including the password.
This fix affects screen readers if they are used for the passwords.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@mohammadnaseri @sorz