Security is foundational to Android. We partner with you to keep the platform safe and protect user data by offering powerful security tools and features, like Credential Manager and FLAG_SECURE. Every Android release brings performance and security enhancements, and with Android 16, you can take simple, significant steps to strengthen your app’s defenses. Check out our video or continue reading to learn more about our enhanced protections for accessibility APIs.
Protect your app from snooping with a single line of code
The accessibilityDataSensitive flag allows you to explicitly mark a view or composable as containing sensitive data. When you set this flag to true on your app, you are essentially blocking potentially malicious apps from accessing your sensitive view data or performing interactions on it. Here is how it works: any app requesting accessibility permission that hasn’t explicitly declared itself as a legitimate accessibility tool (isAccessibilityTool=true) is denied access to that view.
This simple but effective change helps to prevent malware from stealing information and performing unauthorized actions, all without impacting users’ experience of legitimate accessibility tools. Note: If an app is not an accessibility tool but requests accessibility permissions and sets isAccessibilityTool=true, Play will reject it and Google Play Protect will block it on user devices.
Automatic, enhanced security for setFilterTouchesWhenObscured protection
We’ve already integrated this new accessibilityDataSensitive security functionality with the existing setFilterTouchesWhenObscured method.
If you already use setFilterTouchesWhenObscured(true) to protect your app from tapjacking, your views are automatically treated as sensitive data for accessibility. By enhancing the setFilterTouchesWhenObscured method with accessibilityDataSensitive protections, we’re instantly giving everyone an additional layer of defense with no extra work.
Getting started
We recommend that you use setFilterTouchesWhenObscured, or alternatively the accessibilityDataSensitive flag, on any screen that contains sensitive information, including login pages, payment flows, and any view displaying personal or financial data.
For Jetpack Compose
For View-based apps
In your XML layout, add the relevant attribute to the sensitive view.
Alternatively, you can set the property programmatically in Java or Kotlin:
Read more about the accessibilityDataSensitive and setFilterTouchesWhenObscured flags in the Tapjacking guide.
Partnering with developers to keep users safe
We worked with developers early to ensure this feature meets real-world needs and integrates smoothly into your workflow.
“We’ve always prioritized protecting our customers’ sensitive financial data, which required us to build our own protection layer against accessibility-based malware. Revolut strongly supports the introduction of this new, official Android API, as it allows us to gradually move away from our custom code in favor of a robust, single-line platform defense.”
– Vladimir Kozhevnikov, Android Engineer at Revolut
Together, we can build a more secure and trustworthy experience for everyone.
