Lock the Door But Keep the Window Open: Extracting App-Protected Accessibility Information from Browser-Rendered Websites

The Android accessibility (a11y) service has been widely utilized by malware to abuse benign services.To prevent such abuse, developers need to secure a11y content access in both their apps and mobile websites.However, a misalignment of a11y protection mechanisms exists between them.Prior research has focused on attacking and defending a11y information embedded in native Android apps.However, our research found that a11y malware can retrieve app-protected a11y information in its mobile browser-rendered website counterpart, leaving mobile browser users more vulnerable to a11y attacks than app users.To help benign service developers vet this attack surface, we developed SOMBRA, an automated analysis pipeline to vet browser-side leakage of a11y information that is a11y-protected in apps.Using SOMBRA, we analyzed 294 benign services and found 29 of them deploy app-side a11y protection mechanisms to secure 256 views.SOMBRA discovered that 241, 402, 244, and 251 elements corresponding to their protected app-side views are a11y-exposed in their websites rendered by Chrome, Firefox, Brave, and Edge browsers, respectively.The leaked elements contain sensitive personal identifiable information.Finally, SOMBRA discovered that most developers do not adopt browser-side a11y protections because existing mechanisms either have ineffective protection or hinder the usability of their content.