{"id":49991,"date":"2023-12-05T07:38:45","date_gmt":"2023-12-05T12:38:45","guid":{"rendered":"https:\/\/www.kaspersky.com\/blog\/?p=49991"},"modified":"2023-12-05T07:48:39","modified_gmt":"2023-12-05T12:48:39","slug":"android-restricted-settings","status":"publish","type":"post","link":"https:\/\/www.kaspersky.com\/blog\/android-restricted-settings\/49991\/","title":{"rendered":"Restricted Settings in Android 13 and 14"},"content":{"rendered":"<p>With each new version of the Android operating system, new features are added to protect users from malware. For example, Android 13 introduced <em>Restricted Settings<\/em>. In this post, we\u2019ll discuss what this feature involves, what it\u2019s designed to protect against, and how effectively it does its job (spoiler: not very well).<\/p>\n<h2>What are Restricted Settings?<\/h2>\n<p>How do <em>Restricted Settings<\/em> operate? Imagine you\u2019re installing an application from a third-party source \u2014 that is, downloading an APK file from somewhere and initiating its installation. Let\u2019s suppose this application requires access to certain functions that Google considers particularly dangerous (and for good reason \u2014 but more on that later). In this case, the application will ask you to enable the necessary functions for it in your operating system settings.<\/p>\n<p>However, in both Android 13 and 14, this isn\u2019t possible for applications installed by users from APK files. If you go to your smartphone\u2019s settings and try to grant dangerous permissions to such an application, a window titled <em>Restricted Settings<\/em> will appear. It will say \u201cFor your security, this setting is currently unavailable\u201d.<\/p>\n<div id=\"attachment_49995\" style=\"width: 1078px\" class=\"wp-caption aligncenter\"><a href=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/92\/2023\/12\/05071821\/android-restricted-settings-1-EN.png\"><img decoding=\"async\" aria-describedby=\"caption-attachment-49995\" class=\"size-full wp-image-49995\" src=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/92\/2023\/12\/05071821\/android-restricted-settings-1-EN.png\" alt=\"Restricted Settings pop-up window\" width=\"1068\" height=\"630\"><\/a><p id=\"caption-attachment-49995\" class=\"wp-caption-text\">When an application installed from third-party sources requests dangerous permissions, a window pops up with the title Restricted Settings<\/p><\/div>\n<p>So, which permissions does Google consider so hazardous that access to them is blocked for any applications not downloaded from the store? Unfortunately, Google isn\u2019t rushing to share this information. We therefore have to figure it out from independent publications for Android developers. At present, two such restrictions are known:<\/p>\n<ul>\n<li><a href=\"https:\/\/www.esper.io\/blog\/android-13-sideloading-restriction-harder-malware-abuse-accessibility-apis\" target=\"_blank\" rel=\"nofollow noopener\">Permission to access Accessibility<\/a><\/li>\n<li><a href=\"https:\/\/www.xda-developers.com\/android-13-restricted-setting-notification-listener\/\" target=\"_blank\" rel=\"nofollow noopener\">Permission to access notifications<\/a><\/li>\n<\/ul>\n<p>It\u2019s possible that this list will change in future versions of Android. But for now it seems that these are all the permissions that Google has decided to restrict for applications downloaded from unknown sources. Now let\u2019s discuss why this is even necessary.<\/p>\n<h2>Why Google considers Accessibility dangerous<\/h2>\n<p>We previously talked about <em>Accessibility<\/em> in a recent post titled the <a href=\"https:\/\/www.kaspersky.com\/blog\/android-most-dangerous-features\/49418\/\" target=\"_blank\" rel=\"noopener nofollow\">Top-3 most dangerous Android features<\/a>. In short, <em>Accessibility<\/em> constitutes a set of Android features designed to assist people with severe visual impairments.<\/p>\n<p>The initial idea was that <em>Accessibility<\/em> would enable applications to act as mediators between the visual interface of the operating system and individuals unable to use this interface but capable of issuing commands and receiving information through alternative means \u2014 typically by voice. Thus, <em>Accessibility<\/em> serves as a guide dog in the virtual space.<\/p>\n<p>An application using <em>Accessibility<\/em> can see everything happening on the Android device\u2019s screen, and perform any action on the user\u2019s behalf \u2014 pressing buttons, inputting data, changing settings, and more.<\/p>\n<p>This is precisely why the creators of malicious Android applications are so fond of <em>Accessibility<\/em>. This set of functions enables them to do a great deal of harm: spy on correspondence, snoop on passwords, steal financial information, intercept one-time transaction confirmation codes, and so on. Moreover, <em>Accessibility<\/em> also allows malware to perform user actions within other applications. For example, it can make a transfer in a banking app and confirm the transaction using the one-time code from a text message.<\/p>\n<p>This is why Google deems the permission to access <em>Accessibility<\/em> particularly perilous \u2014 and rightly so. For apps available on Google Play, their use is subject to careful scrutiny by moderators. As for programs downloaded from unknown sources, Android developers have attempted to <a href=\"https:\/\/www.xda-developers.com\/android-13-google-malware-crackdown-accessibility-api\/\" target=\"_blank\" rel=\"nofollow noopener\">completely disable access to this set of functions<\/a>.<\/p>\n<h2>Why Google restricts access to notifications<\/h2>\n<p>We\u2019ve covered <em>Accessibility<\/em>, so now let\u2019s talk about what\u2019s wrong with applications accessing notifications (in Android, this function is called <em>Notification Listener<\/em>). The danger lies in the fact that notifications may contain a lot of personal information about the user.<\/p>\n<p>For example, with access to all notifications, a malicious app can read almost all of the user\u2019s incoming correspondence. In particular, it can intercept messages containing one-time codes for confirming bank transactions, logging in to various services (such as messengers), changing passwords, and so on.<\/p>\n<p>Here, two serious threats arise. Firstly, an app with access to <em>Notification Listener<\/em> has a simple and convenient way to monitor the user \u2014 very useful for spyware.<\/p>\n<p>Secondly, a malicious app can use the information obtained from notifications to hijack user accounts. And all this without any extra tricks, complex technical gimmicks, or expensive vulnerabilities \u2014 just exploiting Android\u2019s built-in capabilities.<\/p>\n<p>It\u2019s not surprising that Google considers access to notifications no less dangerous than access to <em>Accessibility<\/em>, and attempts to restrict it for programs downloaded from outside the app stores.<\/p>\n<h2>How Android malware bypasses Restricted Settings<\/h2>\n<p>In both Android 13 and 14, the mechanism to protect against the use of dangerous functions by malicious apps downloaded from unknown sources operates as follows. App stores typically use the so-called session-based installation method. Apps installed using this method are considered safe by the system, no restrictions are placed on them, and users can grant these apps access to <em>Accessibility<\/em> and <em>Notification Listener<\/em>.<\/p>\n<p>However, if an app is installed without using the session-based method \u2014 which is very likely to happen when a user manually downloads an APK \u2014 it\u2019s deemed unsafe, and the <em>Restricted Settings<\/em> function is enabled for it.<\/p>\n<p>Hence the bypass mechanism: even if a malicious app downloaded from an untrusted source cannot access <em>Accessibility<\/em> or notifications, it can use the session-based method to install another malicious app! It will be considered safe, and access restrictions won\u2019t be activated.<\/p>\n<p>We\u2019re not talking theory here \u2013 this is a real problem: malware developers have already learned to <a href=\"https:\/\/www.threatfabric.com\/blogs\/droppers-bypassing-android-13-restrictions\" target=\"_blank\" rel=\"nofollow noopener\">bypass the <em>Restricted Settings<\/em> mechanism<\/a> in the latest versions of their creations. Therefore, the restrictions in Android 13 and 14 will only combat malware that\u2019s old \u2014 not protect against new malware.<\/p>\n<blockquote>\n<h4>How to disable Restricted Settings when installing an app from third-party sources<\/h4>\n<p>Even though it\u2019s not safe, sometimes a user might need to grant access to <em>Accessibility<\/em> or <em>Notification Listener<\/em> to an app downloaded from outside the store. We recommend extreme caution in this case, and strongly advise scanning such an application with a <a href=\"https:\/\/www.kaspersky.com\/mobile-security?icid=gl_kdailyplacehold_acq_ona_smm__onl_b2c_kdaily_wpplaceholder_sm-team___kisa____da04049114cf37d2\" target=\"_blank\" rel=\"noopener nofollow\">reliable antivirus<\/a> before installing it.<\/p>\n<p>To disable the restrictions:<\/p>\n<ul>\n<li>Open your smartphone settings<\/li>\n<li>Go to the <em>Apps<\/em> section<\/li>\n<li>Select the app you want to remove access restrictions for<\/li>\n<li>In the upper right corner, tap on the three dots icon<\/li>\n<li>Select <em>Allow restricted settings<\/em><\/li>\n<\/ul>\n<p>That\u2019s it! Now, the menu option that lets you grant the app the necessary permissions will become active.\n<\/p><\/blockquote>\n<h2>How to protect your Android smartphone<\/h2>\n<p>Since you can\u2019t rely on <em>Restricted Settings<\/em>, you\u2019ll have to use other methods to protect yourself from malware that abuses access to <em>Accessibility<\/em> or notifications:<\/p>\n<ul>\n<li>Be wary of any apps requesting access to these features \u2014 we\u2019ve discussed above why this is very dangerous<\/li>\n<li>Try to install applications from official stores. Sometimes malware <a href=\"https:\/\/www.kaspersky.com\/blog\/malware-in-google-play-2023\/49579\/\" target=\"_blank\" rel=\"noopener nofollow\">can still be found<\/a> in them, but the risk is much lower than the chance of picking up trojans from obscure sites on the internet<\/li>\n<li>If you really have to install an app from an unreliable source, remember to <a href=\"https:\/\/www.kaspersky.com\/blog\/unknown-apps-android\/41656\/\" target=\"_blank\" rel=\"noopener nofollow\">disable<\/a> this option immediately after installation<\/li>\n<li>Scan all applications you install with a <a href=\"https:\/\/www.kaspersky.com\/mobile-security?icid=gl_kdailyplacehold_acq_ona_smm__onl_b2c_kdaily_wpplaceholder_sm-team___kisa____da04049114cf37d2\" target=\"_blank\" rel=\"noopener nofollow\">reliable mobile antivirus<\/a>.<\/li>\n<li>If you\u2019re using the free version of our protection tool, remember to do this manually before launching each new application. In the paid version of <a href=\"https:\/\/www.kaspersky.com\/mobile-security?icid=gl_kdailyplacehold_acq_ona_smm__onl_b2c_kdaily_wpplaceholder_sm-team___kisa____da04049114cf37d2\" target=\"_blank\" rel=\"noopener nofollow\">Kaspersky for Android<\/a>, this scan runs automatically.<\/li>\n<\/ul>\n<input type=\"hidden\" class=\"category_for_banner\" value=\"kisa-generic-3\">\n","protected":false},"excerpt":{"rendered":"<p>Android 13 and 14 have a feature called Restricted Settings. We explain its purpose, and how malicious applications bypass it.<\/p>\n","protected":false},"author":2726,"featured_media":49992,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[2683,9],"tags":[105,1917,423,97,835,45,422,131],"class_list":{"0":"post-49991","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-threats","8":"category-tips","9":"tag-android","10":"tag-app-permissions","11":"tag-mobile-devices","12":"tag-security-2","13":"tag-settings","14":"tag-smartphones","15":"tag-threats","16":"tag-tips"},"hreflang":[{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/android-restricted-settings\/49991\/"},{"hreflang":"en-in","url":"https:\/\/www.kaspersky.co.in\/blog\/android-restricted-settings\/26735\/"},{"hreflang":"en-ae","url":"https:\/\/me-en.kaspersky.com\/blog\/android-restricted-settings\/22149\/"},{"hreflang":"ar","url":"https:\/\/me.kaspersky.com\/blog\/android-restricted-settings\/11298\/"},{"hreflang":"en-us","url":"https:\/\/usa.kaspersky.com\/blog\/android-restricted-settings\/29485\/"},{"hreflang":"en-gb","url":"https:\/\/www.kaspersky.co.uk\/blog\/android-restricted-settings\/27003\/"},{"hreflang":"es-mx","url":"https:\/\/latam.kaspersky.com\/blog\/android-restricted-settings\/26922\/"},{"hreflang":"es","url":"https:\/\/www.kaspersky.es\/blog\/android-restricted-settings\/29495\/"},{"hreflang":"it","url":"https:\/\/www.kaspersky.it\/blog\/android-restricted-settings\/28321\/"},{"hreflang":"ru","url":"https:\/\/www.kaspersky.ru\/blog\/android-restricted-settings\/36670\/"},{"hreflang":"tr","url":"https:\/\/www.kaspersky.com.tr\/blog\/android-restricted-settings\/11939\/"},{"hreflang":"fr","url":"https:\/\/www.kaspersky.fr\/blog\/android-restricted-settings\/21336\/"},{"hreflang":"pt-br","url":"https:\/\/www.kaspersky.com.br\/blog\/android-restricted-settings\/22106\/"},{"hreflang":"de","url":"https:\/\/www.kaspersky.de\/blog\/android-restricted-settings\/30767\/"},{"hreflang":"ja","url":"https:\/\/blog.kaspersky.co.jp\/android-restricted-settings\/35422\/"},{"hreflang":"ru-kz","url":"https:\/\/blog.kaspersky.kz\/android-restricted-settings\/27263\/"},{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/android-restricted-settings\/33019\/"},{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/android-restricted-settings\/32642\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/www.kaspersky.com\/blog\/tag\/android\/","name":"Android"},"_links":{"self":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/49991","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/users\/2726"}],"replies":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/comments?post=49991"}],"version-history":[{"count":5,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/49991\/revisions"}],"predecessor-version":[{"id":49998,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/49991\/revisions\/49998"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/media\/49992"}],"wp:attachment":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/media?parent=49991"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/categories?post=49991"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/tags?post=49991"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}