Testing Restricted Settings of Android 13 on an emulator

@cryptax
3 min readApr 4, 2024

--

Android 13 introduced a new security measure called “Restricted Settings”. The measure is meant to limit access to notification settings and accessibility settings, due to numerous malware abusing those to gain [more or less] total access to your smartphone.

However, the security measure is only triggered for “third-party” applications. There is no Restricted Settings:

  • When the application is downloaded from a trusted marketplace (e.g. Play Store), or more precisely when the application is installed using a session-based package installer. This may be an issue, but it’s not the topic of this blog post.
  • When the application is installed using adb install. This is the case we are going to discuss in this blog post.

Let’s suppose you are a hacker, have an APK which requests Accessibility access and want to test the Restricted Settings on an Android 13+ emulator.

If you install your application on the emulator with adb install myapp.apk, the Restricted Settings security measure won’t occur because you’re in the adb install case. You can’t (and possibly don’t want to) upload your myapp.apk to an untrusted marketplace just for a test.

So, how can you do it? Simply create a quick HTTP server to serve your APK and download it on your emulator from that place.

Quick HTTP server to serve an APK

Python is a good solution to create quick HTTP servers. python3 -m http.server works straight away, but we need to have it serve our APK.

import http.server
import socketserver
# Set the port number
PORT = 8000
# Set the file to serve
FILE_TO_SERVE = 'myapp.apk'

class CustomHandler(http.server.SimpleHTTPRequestHandler):
def do_GET(self):
self.path = FILE_TO_SERVE
return http.server.SimpleHTTPRequestHandler.do_GET(self)

with socketserver.TCPServer(("", PORT), CustomHandler) as httpd:
print("Server started at port", PORT)
httpd.serve_forever()

Then, run the server on your host:

$ python3 serve.py 
Server started at port 8000

Download the APK in the Android Emulator

In the Android Emulator, open a browser and go to http://10.0.2.2:8000 (10.0.2.2 is a loopback interface address that the emulator maps to the localhost of the host machine). The APK will automatically download.

Install the APK

Click on the APK to install it. Depending on the configuration of your Android emulator, it may complain you are trying to install from an “unknown” source: allow that and download the application.

Your APK is installed 😄

Test Accessibility

Go to Settings > Accessibility. You will now see your APK in a grayed “Downloaded apps” section (of course, this only works if you APK was indeed asking for Accessibility!). The fact is is grayed means that Restricted Settings worked.

The (fake) “Chrome” application uses Accessibility. I installed it on the emulator using a custom HTTP server. This untrusted install triggers the Restricted Settings security measure, which grays “Downloaded apps”.

If you click on the app nevertheless, a pop-up shows saying the setting is restricted.

Security measure is operational.

If, now, you decide to allow restricted settings (warning! warning! if you’re an end-user with no disabilities, you probably should NOT do this, the “app” requesting this is likely to be malicious!), the “Learn more” page tells you how to do it.

Final warning: some malware are able to bypass the restricted settings.

— Cryptax

--

--

@cryptax
@cryptax

Written by @cryptax

Mobile and IoT malware researcher. The postings on this account are solely my own opinion and do not represent my employer.

No responses yet