{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,12,23]],"date-time":"2025-12-23T00:29:03Z","timestamp":1766449743446},"reference-count":25,"publisher":"Privacy Enhancing Technologies Symposium Advisory Board","issue":"2","license":[{"start":{"date-parts":[[2019,4,1]],"date-time":"2019-04-01T00:00:00Z","timestamp":1554076800000},"content-version":"unspecified","delay-in-days":0,"URL":"http:\/\/creativecommons.org\/licenses\/by-nc-nd\/3.0"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2019,4,1]]},"abstract":"<jats:title>Abstract<\/jats:title>\n               <jats:p>To support users with disabilities, Android provides the <jats:italic>accessibility services<\/jats:italic>, which implement means of navigating through an app. According to the Android developer\u2019s guide: <jats:italic>\u201cAccessibility services should only be used to assist users with disabilities in using Android devices and apps\u201d<\/jats:italic>. However, developers are free to use this service without any restrictions, giving them critical privileges such as monitoring user input or screen content to capture sensitive information. In this paper, we show that simply enabling the accessibility service leaves 72 % of the top finance a nd 80 % of the top social media apps vulnerable to eavesdropping attacks, leaking sensitive information such as logins and passwords. A combination of several tools and recommendations could mitigate the privacy risks: We introduce an analysis technique that detects most of these issues automatically, <jats:italic>e.g.<\/jats:italic> in an app store. We also found that these issues can be automatically fixed in almost all cases; our fixes have b een accepted by 70 % of the surveyed developers. Finally, we designed a notification mechanism which would warn users against possible misuses of the accessibility services; 50 % of users would follow these notifications.<\/jats:p>","DOI":"10.2478\/popets-2019-0031","type":"journal-article","created":{"date-parts":[[2019,5,6]],"date-time":"2019-05-06T15:27:08Z","timestamp":1557156428000},"page":"291-305","source":"Crossref","is-referenced-by-count":15,"title":["AccessiLeaks: Investigating Privacy Leaks Exposed by the Android Accessibility Service"],"prefix":"10.56553","volume":"2019","author":[{"given":"Mohammad","family":"Naseri","sequence":"first","affiliation":[{"name":"Saarland University ,"}]},{"suffix":"Jr","given":"Nataniel P.","family":"Borges","sequence":"additional","affiliation":[{"name":"CISPA Helmholtz Center i.G. ,"}]},{"given":"Andreas","family":"Zeller","sequence":"additional","affiliation":[{"name":"CISPA Helmholtz Center i.G. ,"}]},{"given":"Romain","family":"Rouvoy","sequence":"additional","affiliation":[{"name":"Univ. Lille \/ Inria \/ IUF ,"}]}],"member":"35752","published-online":{"date-parts":[[2019,5,4]]},"reference":[{"key":"2022062314362174179_j_popets-2019-0031_ref_001_w2aab3b7c16b1b6b1ab1ab1Aa","doi-asserted-by":"crossref","unstructured":"[1] Y. Acar, M. Backes, S. Fahl, D. Kim, M. L. Mazurek, and C. Stransky. 2016. You Get Where You\u2019re Looking for: The Impact of Information Sources on Code Security. In 2016 IEEE Symposium on Security and Privacy (SP). IEEE, San Jose, CA, USA, 289\u2013305. https:\/\/doi.org\/10.1109\/SP.2016.2510.1109\/SP.2016.25","DOI":"10.1109\/SP.2016.25"},{"key":"2022062314362174179_j_popets-2019-0031_ref_002_w2aab3b7c16b1b6b1ab1ab2Aa","doi-asserted-by":"crossref","unstructured":"[2] Efthimios Alepis and Constantinos Patsakis. 2017. Hey Doc, Is This Normal?: Exploring Android Permissions in the Post Marshmallow Era. In Security, Privacy, and Applied Cryptography Engineering, Sk Subidh Ali, Jean-Luc Danger, and Thomas Eisenbarth (Eds.). Springer International Publishing, Cham, 53\u201373.","DOI":"10.1007\/978-3-319-71501-8_4"},{"key":"2022062314362174179_j_popets-2019-0031_ref_003_w2aab3b7c16b1b6b1ab1ab3Aa","doi-asserted-by":"crossref","unstructured":"[3] Kevin Allix, Tegawend\u00e9 F. Bissyand\u00e9, Jacques Klein, and Yves Le Traon. 2016. AndroZoo: Collecting Millions of Android Apps for the Research Community. In Proceedings of the 13th International Conference on Mining Software Repositories (MSR \u201916). 468\u2013471. https:\/\/doi.org\/10.1145\/2901739.290350810.1145\/2901739.2903508","DOI":"10.1145\/2901739.2903508"},{"key":"2022062314362174179_j_popets-2019-0031_ref_004_w2aab3b7c16b1b6b1ab1ab4Aa","doi-asserted-by":"crossref","unstructured":"[4] Vitalii Avdiienko, Konstantin Kuznetsov, Alessandra Gorla, Andreas Zeller, Steven Arzt, Siegfried Rasthofer, and Eric Bodden. 2015. Mining Apps for Abnormal Usage of Sensitive Data. In 37th IEEE\/ACM International Conference on Software Engineering, ICSE 2015, Florence, Italy, May 16-24, 2015, Volume 1. IEEE Computer Society, Florence, Italy, 426\u2013436. https:\/\/doi.org\/10.1109\/ICSE.2015.6110.1109\/ICSE.2015.61","DOI":"10.1109\/ICSE.2015.61"},{"key":"2022062314362174179_j_popets-2019-0031_ref_005_w2aab3b7c16b1b6b1ab1ab5Aa","unstructured":"[5] Bram Bonn\u00e9, Sai Teja Peddinti, Igor Bilogrevic, and Nina Taft. 2017. Exploring decision making with Android\u2019s run-time permission dialogs using in-context surveys. In Thirteenth Symposium on Usable Privacy and Security (SOUPS 2017). USENIX Association, 195\u2013210."},{"key":"2022062314362174179_j_popets-2019-0031_ref_006_w2aab3b7c16b1b6b1ab1ab6Aa","doi-asserted-by":"crossref","unstructured":"[6] Dimitrios Damopoulos, Georgios Kambourakis, and Stefanos Gritzalis. 2013. From keyloggers to touchloggers: Take the rough with the smooth. Computers & security 32 (2013), 102\u2013114.","DOI":"10.1016\/j.cose.2012.10.002"},{"key":"2022062314362174179_j_popets-2019-0031_ref_007_w2aab3b7c16b1b6b1ab1ab7Aa","unstructured":"[7] Anthony Desnos. 2011. Androguard. URL: https:\/\/github.com\/androguard\/androguard (2011)."},{"key":"2022062314362174179_j_popets-2019-0031_ref_008_w2aab3b7c16b1b6b1ab1ab8Aa","unstructured":"[8] Adrienne Porter Felt, Erika Chin, Steve Hanna, Dawn Song, and David Wagner. 2011. Android Permissions Demystified. In Proceedings of the 18th ACM Conference on Computer and Communications Security (CCS \u201911). New York, NY, USA, 627\u2013638. https:\/\/doi.org\/10.1145\/2046707.204677910.1145\/2046707.2046779"},{"key":"2022062314362174179_j_popets-2019-0031_ref_009_w2aab3b7c16b1b6b1ab1ab9Aa","unstructured":"[9] Adrienne Porter Felt, Elizabeth Ha, Serge Egelman, Ariel Haney, Erika Chin, and David Wagner. 2012. Android Permissions: User Attention, Comprehension, and Behavior. In Proceedings of the Eighth Symposium on Usable Privacy and Security (SOUPS \u201912). ACM, New York, NY, USA, Article 3, 14 pages. https:\/\/doi.org\/10.1145\/2335356.233536010.1145\/2335356.2335360"},{"key":"2022062314362174179_j_popets-2019-0031_ref_010_w2aab3b7c16b1b6b1ab1ac10Aa","doi-asserted-by":"crossref","unstructured":"[10] Y. Fratantonio, C. Qian, S. P. Chung, and W. Lee. 2017. Cloak and Dagger: From Two Permissions to Complete Control of the UI Feedback Loop. In 2017 IEEE Symposium on Security and Privacy (SP). 1041\u20131057. https:\/\/doi.org\/10.1109\/SP.2017.3910.1109\/SP.2017.39","DOI":"10.1109\/SP.2017.39"},{"key":"2022062314362174179_j_popets-2019-0031_ref_011_w2aab3b7c16b1b6b1ab1ac11Aa","doi-asserted-by":"crossref","unstructured":"[11] Alessandra Gorla, Ilaria Tavecchia, Florian Gross, and Andreas Zeller. 2014. Checking app behavior against app descriptions. In 36th International Conference on Software Engineering, ICSE \u201914, Hyderabad, India - May 31 - June 07, 2014. ACM, 1025\u20131035. https:\/\/doi.org\/10.1145\/2568225.256827610.1145\/2568225.2568276","DOI":"10.1145\/2568225.2568276"},{"key":"2022062314362174179_j_popets-2019-0031_ref_012_w2aab3b7c16b1b6b1ab1ac12Aa","unstructured":"[12] Nicolas Haderer, Romain Rouvoy, and Lionel Seinturier. 2013. Dynamic Deployment of Sensing Experiments in the Wild Using Smartphones. In Distributed Applications and Interoperable Systems - 13th IFIP WG 6.1 International Conference, DAIS 2013, Held as Part of the 8th International Federated Conference on Distributed Computing Techniques, DisCoTec 2013, Florence, Italy, June 3-5, 2013. Proceedings (Lecture Notes in Computer Science), Jim Dowling and Fran\u00e7ois Ta\u00efani (Eds.), Vol. 7891. Springer, 43\u201356. https:\/\/doi.org\/10.1007\/978-3-642-38541-4_410.1007\/978-3-642-38541-4_4"},{"key":"2022062314362174179_j_popets-2019-0031_ref_013_w2aab3b7c16b1b6b1ab1ac13Aa","doi-asserted-by":"crossref","unstructured":"[13] Blake Ives, Kenneth R Walsh, and Helmut Schneider. 2004. The domino effect of password reuse. Commun. ACM 47, 4 (2004), 75\u201378.","DOI":"10.1145\/975817.975820"},{"key":"2022062314362174179_j_popets-2019-0031_ref_014_w2aab3b7c16b1b6b1ab1ac14Aa","doi-asserted-by":"crossref","unstructured":"[14] Yeongjin Jang, Chengyu Song, Simon P. Chung, Tielei Wang, and Wenke Lee. 2014. A11Y Attacks: Exploiting Accessibility in Operating Systems. In Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security (CCS \u201914). Scottsdale, Arizona, USA, 103\u2013115. https:\/\/doi.org\/10.1145\/2660267.266029510.1145\/2660267.2660295","DOI":"10.1145\/2660267.2660295"},{"key":"2022062314362174179_j_popets-2019-0031_ref_015_w2aab3b7c16b1b6b1ab1ac15Aa","doi-asserted-by":"crossref","unstructured":"[15] L. Jeter and S. Mishra. 2013. Identifying and quantifying the android device users\u2019 security risk exposure. In 2013 International Conference on Computing, Networking and Communications (ICNC). 11\u201317. https:\/\/doi.org\/10.1109\/ICCNC.2013.650404510.1109\/ICCNC.2013.6504045","DOI":"10.1109\/ICCNC.2013.6504045"},{"key":"2022062314362174179_j_popets-2019-0031_ref_016_w2aab3b7c16b1b6b1ab1ac16Aa","doi-asserted-by":"crossref","unstructured":"[16] Jaeyeon Jung, Seungyeop Han, and David Wetherall. 2012. Short paper: enhancing mobile application permissions with runtime feedback and constraints. In Proceedings of the second ACM workshop on Security and privacy in smartphones and mobile devices. ACM, 45\u201350.","DOI":"10.1145\/2381934.2381944"},{"key":"2022062314362174179_j_popets-2019-0031_ref_017_w2aab3b7c16b1b6b1ab1ac17Aa","doi-asserted-by":"crossref","unstructured":"[17] Joshua Kraunelis, Yinjie Chen, Zhen Ling, Xinwen Fu, and Wei Zhao. 2014. On Malware Leveraging the Android Accessibility Framework. Springer International Publishing, Cham, 512\u2013523. https:\/\/doi.org\/10.1007\/978-3-319-11569-6_4010.1007\/978-3-319-11569-6_40","DOI":"10.1007\/978-3-319-11569-6_40"},{"key":"2022062314362174179_j_popets-2019-0031_ref_018_w2aab3b7c16b1b6b1ab1ac18Aa","doi-asserted-by":"crossref","unstructured":"[18] Umme Ayda Mannan, Iftekhar Ahmed, Rana Abdullah M. Almurshed, Danny Dig, and Carlos Jensen. 2016. Understanding Code Smells in Android Applications. In Proceedings of the International Conference on Mobile Software Engineering and Systems (MOBILESoft \u201916). 225\u2013234. https:\/\/doi.org\/10.1145\/2897073.289709410.1145\/2897073.2897094","DOI":"10.1145\/2897073.2897094"},{"key":"2022062314362174179_j_popets-2019-0031_ref_019_w2aab3b7c16b1b6b1ab1ac19Aa","doi-asserted-by":"crossref","unstructured":"[19] Maia Naftali and Leah Findlater. 2014. Accessibility in Context: Understanding the Truly Mobile Experience of Smartphone Users with Motor Impairments. In Proceedings of the 16th International ACM SIGACCESS Conference on Computers & Accessibility (ASSETS \u201914). ACM, New York, NY, USA, 209\u2013216. https:\/\/doi.org\/10.1145\/2661334.266137210.1145\/2661334.2661372","DOI":"10.1145\/2661334.2661372"},{"key":"2022062314362174179_j_popets-2019-0031_ref_020_w2aab3b7c16b1b6b1ab1ac20Aa","doi-asserted-by":"crossref","unstructured":"[20] Duc Cuong Nguyen, Dominik Wermke, Yasemin Acar, Michael Backes, Charles Weir, and Sascha Fahl. 2017. A Stitch in Time: Supporting Android Developers in WritingSecure Code. In Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security. ACM, 1065\u20131077.","DOI":"10.1145\/3133956.3133977"},{"key":"2022062314362174179_j_popets-2019-0031_ref_021_w2aab3b7c16b1b6b1ab1ac21Aa","doi-asserted-by":"crossref","unstructured":"[21] F. Palomba, D. Di Nucci, A. Panichella, A. Zaidman, and A. De Lucia. 2017. Lightweight detection of Android-specific code smells: The aDoctor project. In 2017 IEEE 24th International Conference on Software Analysis, Evolution and Reengineering (SANER), Vol. 00. 487\u2013491. https:\/\/doi.org\/10.1109\/SANER.2017.788465910.1109\/SANER.2017.7884659","DOI":"10.1109\/SANER.2017.7884659"},{"key":"2022062314362174179_j_popets-2019-0031_ref_022_w2aab3b7c16b1b6b1ab1ac22Aa","doi-asserted-by":"crossref","unstructured":"[22] Renaud Pawlak, Martin Monperrus, Nicolas Petitprez, Carlos Noguera, and Lionel Seinturier. 2015. Spoon: A Library for Implementing Analyses and Transformations of Java Source Code. Software: Practice and Experience 46 (2015), 1155\u20131179. https:\/\/doi.org\/10.1002\/spe.234610.1002\/spe.2346","DOI":"10.1002\/spe.2346"},{"key":"2022062314362174179_j_popets-2019-0031_ref_023_w2aab3b7c16b1b6b1ab1ac23Aa","doi-asserted-by":"crossref","unstructured":"[23] Andr\u00e9 Rodrigues, Kyle Montague, Hugo Nicolau, and Tiago Guerreiro. 2015. Getting Smartphones to Talk-back: Understanding the Smartphone Adoption Process of Blind Users. In Proceedings of the 17th International ACM SIGACCESS Conference on Computers &#38; Accessibility (ASSETS \u201915). ACM, New York, NY, USA, 23\u201332. https:\/\/doi.org\/10.1145\/2700648.280984210.1145\/2700648.2809842","DOI":"10.1145\/2700648.2809842"},{"key":"2022062314362174179_j_popets-2019-0031_ref_024_w2aab3b7c16b1b6b1ab1ac24Aa","unstructured":"[24] Elizabeth Stobert and Robert Biddle. 2014. The password life cycle: user behaviour in managing passwords. In Proceedings of the Tenth Symposium on Usable Privacy and Security (SOUPS \u201914). Menlo Park, CA."},{"key":"2022062314362174179_j_popets-2019-0031_ref_025_w2aab3b7c16b1b6b1ab1ac25Aa","doi-asserted-by":"crossref","unstructured":"[25] Christopher Thompson, Maritza Johnson, Serge Egelman, David Wagner, and Jennifer King. 2013. When It\u2019s Better to Ask Forgiveness Than Get Permission: Attribution Mechanisms for Smartphone Resources. In Proceedings of the Ninth Symposium on Usable Privacy and Security (SOUPS \u201913). Newcastle, United Kingdom, Article 1, 14 pages. https:\/\/doi.org\/10.1145\/2501604.250160510.1145\/2501604.2501605","DOI":"10.1145\/2501604.2501605"}],"container-title":["Proceedings on Privacy Enhancing Technologies"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/content.sciendo.com\/view\/journals\/popets\/2019\/2\/article-p291.xml","content-type":"text\/html","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/www.sciendo.com\/pdf\/10.2478\/popets-2019-0031","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2022,7,20]],"date-time":"2022-07-20T16:30:26Z","timestamp":1658334626000},"score":1,"resource":{"primary":{"URL":"https:\/\/petsymposium.org\/popets\/2019\/popets-2019-0031.php"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2019,4,1]]},"references-count":25,"journal-issue":{"issue":"2","published-online":{"date-parts":[[2019,5,4]]},"published-print":{"date-parts":[[2019,4,1]]}},"alternative-id":["10.2478\/popets-2019-0031"],"URL":"https:\/\/doi.org\/10.2478\/popets-2019-0031","relation":{},"ISSN":["2299-0984"],"issn-type":[{"value":"2299-0984","type":"electronic"}],"subject":[],"published":{"date-parts":[[2019,4,1]]}}}