Android Developers Blog
The latest Android and Google Play news for app and game developers.
🔍
Android Developers
Jetpack Kotlin Docs News
Platform Android Studio Google Play Jetpack Kotlin Docs News
Android Developers on YouTube Android Developers on LinkedIn Android Developers on Medium Follow Android Developers on X
Google Play Site Google Play Apps & Games on LinkedIn Google Play Apps & Games on Medium Follow GooglePlayBiz on X
Platform Android Studio Google Play Jetpack Kotlin Docs News More
Android Developers on YouTube Android Developers on LinkedIn Android Developers on Medium Follow Android Developers on X
|
Google Play Site Google Play Apps & Games on LinkedIn Google Play Apps & Games on Medium Follow GooglePlayBiz on X

11 December 2025

Enhancing Android security: Stop malware from snooping on your app data

Share on LinkedIn Share on X Share on Facebook Share in mail Copy link
Link copied to clipboard
Posted by Bennet Manuel, Product Management, Android App Safety and Rob Clifford, Developer Relations




Security is foundational to Android. We partner with you to keep the platform safe and protect user data by offering powerful security tools and features, like Credential Manager and FLAG_SECURE. Every Android release brings performance and security enhancements, and with Android 16, you can take simple, significant steps to strengthen your app’s defenses. Check out our video or continue reading to learn more about our enhanced protections for accessibility APIs.



Protect your app from snooping with a single line of code

We’ve seen that bad actors sometimes try to exploit accessibility API features to read sensitive information, like passwords and financial details, directly from the screen and manipulate a user's device by injecting touches. To combat this, Android 16 provides a new, powerful defense in a single line of code: accessibilityDataSensitive.

The accessibilityDataSensitive flag allows you to explicitly mark a view or composable as containing sensitive data. When you set this flag to true on your app, you are essentially blocking potentially malicious apps from accessing your sensitive view data or performing interactions on it. Here is how it works: any app requesting accessibility permission that hasn't explicitly declared itself as a legitimate accessibility tool (isAccessibilityTool=true) is denied access to that view.

This simple but effective change helps to prevent malware from stealing information and performing unauthorized actions, all without impacting users’ experience of legitimate accessibility tools. Note: If an app is not an accessibility tool but requests accessibility permissions and sets isAccessibilityTool=true, Play will reject it and Google Play Protect will block it on user devices. 

Automatic, enhanced security for setFilterTouchesWhenObscured protection

We’ve already integrated this new accessibilityDataSensitive security functionality with the existing setFilterTouchesWhenObscured method. 

If you already use setFilterTouchesWhenObscured(true) to protect your app from tapjacking, your views are automatically treated as sensitive data for accessibility. By enhancing the setFilterTouchesWhenObscured method with accessibilityDataSensitive protections, we’re instantly giving everyone an additional layer of defense with no extra work.

Getting started

We recommend that you use setFilterTouchesWhenObscured, or alternatively the accessibilityDataSensitive flag, on any screen that contains sensitive information, including login pages, payment flows, and any view displaying personal or financial data.

For Jetpack Compose

setFilterTouchesWhenObscured

accessibilityDataSensitive


val composeView = LocalView.current DisposableEffect(Unit) { composeView.filterTouchesWhenObscured = true onDispose { composeView.filterTouchesWhenObscured = false } }


Use the semantics modifier to apply the sensitiveData property to a composable.

BasicText { text = “Your password”,

            modifier = Modifier.semantics {

                sensitiveData = true }}




For View-based apps

In your XML layout, add the relevant attribute to the sensitive view.

setFilterTouchesWhenObscured

accessibilityDataSensitive


<TextView android:filterTouchesWhenObscured="true" />



<TextView android:accessibilityDataSensitive="true" />



Alternatively, you can set the property programmatically in Java or Kotlin:

setFilterTouchesWhenObscured

accessibilityDataSensitive


myView.filterTouchesWhenObscured = true;



myView.isAccessibilityDataSensitive = true;



myView.setFilterTouchesWhenObscured(true)



myView.setAccessibilityDataSensitive(true);



Read more about the accessibilityDataSensitive and setFilterTouchesWhenObscured flags in the Tapjacking guide.



Partnering with developers to keep users safe

We worked with developers early to ensure this feature meets real-world needs and integrates smoothly into your workflow.

 "We've always prioritized protecting our customers' sensitive financial data, which required us to build our own protection layer against accessibility-based malware. Revolut strongly supports the introduction of this new, official Android API, as it allows us to gradually move away from our custom code in favor of a robust, single-line platform defense."

- Vladimir Kozhevnikov, Android Engineer at Revolut


You can play a crucial role in protecting your users from malicious accessibility-based attacks by adopting these features. We encourage all developers to integrate these features into their apps to help keep users safe.

Together, we can build a more secure and trustworthy experience for everyone.

Google developers blog

Google Developers Blog

Connect

Android Developers
Android Developers on YouTube Android Developers on LinkedIn Android Developers on Medium Follow Android Developers on X
Google Play Site Google Play
Google Play Apps & Games on LinkedIn Google Play Apps & Games on Medium Follow GooglePlayBiz on X

Subscribe