Android 13 introduced a new security measure called “Restricted Settings”. The measure is meant to limit access to notification settings and accessibility settings, due to numerous malware abusing those to gain [more or less] total access to your smartphone.
However, the security measure is only triggered for “third-party” applications. There is no Restricted Settings:
- When the application is downloaded from a trusted marketplace (e.g. Play Store), or more precisely when the application is installed using a session-based package installer. This may be an issue, but it’s not the topic of this blog post.
- When the application is installed using
adb install
. This is the case we are going to discuss in this blog post.
Let’s suppose you are a hacker, have an APK which requests Accessibility access and want to test the Restricted Settings on an Android 13+ emulator.
If you install your application on the emulator with adb install myapp.apk
, the Restricted Settings security measure won’t occur because you’re in the adb install
case. You can’t (and possibly don’t want to) upload your myapp.apk
to an untrusted marketplace just for a test.
So, how can you do it? Simply create a quick HTTP server to serve your APK and download it on your emulator from that place.
Quick HTTP server to serve an APK
Python is a good solution to create quick HTTP servers. python3 -m http.server
works straight away, but we need to have it serve our APK.
import http.server
import socketserver
# Set the port number
PORT = 8000
# Set the file to serve
FILE_TO_SERVE = 'myapp.apk'
class CustomHandler(http.server.SimpleHTTPRequestHandler):
def do_GET(self):
self.path = FILE_TO_SERVE
return http.server.SimpleHTTPRequestHandler.do_GET(self)
with socketserver.TCPServer(("", PORT), CustomHandler) as httpd:
print("Server started at port", PORT)
httpd.serve_forever()
Then, run the server on your host:
$ python3 serve.py
Server started at port 8000
Download the APK in the Android Emulator
In the Android Emulator, open a browser and go to http://10.0.2.2:8000 (10.0.2.2 is a loopback interface address that the emulator maps to the localhost of the host machine). The APK will automatically download.
Install the APK
Click on the APK to install it. Depending on the configuration of your Android emulator, it may complain you are trying to install from an “unknown” source: allow that and download the application.
Your APK is installed 😄
Test Accessibility
Go to Settings > Accessibility. You will now see your APK in a grayed “Downloaded apps” section (of course, this only works if you APK was indeed asking for Accessibility!). The fact is is grayed means that Restricted Settings worked.
If you click on the app nevertheless, a pop-up shows saying the setting is restricted.
If, now, you decide to allow restricted settings (warning! warning! if you’re an end-user with no disabilities, you probably should NOT do this, the “app” requesting this is likely to be malicious!), the “Learn more” page tells you how to do it.
Final warning: some malware are able to bypass the restricted settings.
— Cryptax