Addition of Test Case for Accessibility Services abuse

[SirionRazzer]

Hi everyone,
I suggest adding an extra test case to detect apps obtaining sensitive data from the app's UI through Accessibility Services.

While testing for Accessibility abuse is addressed in MSTG-PLATFORM-9 (https://mobile-security.gitbook.io/mobile-security-testing-guide/android-testing-guide/0x05h-testing-platform-interaction#testing-for-overlay-attacks-mstg-platform-9), it is currently not mentioned in the upcoming MASVS-PLATFORM-4 (https://docs.google.com/spreadsheets/d/1gRQAp2s6KYQA8KUDZpcEammMMCjxu3wVIQkAGO8ca2Q/edit#gid=0). An adversary can use this attack for impersonation or for stealing sensitive data. The app should be able to detect untrustworthy 3rd party apps and react appropriately to protect the user.

The following test case could mitigate this vulnerability:

1. Install some app that can read screen content.

2. In the target app, navigate to sensitive screens or try to input some texts (passwords, messages, cash amount).

3. Check the log in the testing app to see that it didn't capture any sensitive data.
   Alternatively, the target app can warn the user about interfering with untrustworthy apps and hide sensitive views with sensitive data or lock access to sensitive operations.

A possible improvement for this test case could be the addition of the allowlist of trustworthy apps. The list could be potentially expanded by the community, with only the apps with the highest trustworthiness disclosed.

Example:
com.google.android.marvin.talkback
com.google.android.apps.accessibility.reveal
com.google.android.apps.translate
com.microsoft.office.officelens

[cpholguera]

Thank you very much @SirionRazzer, we'll consider your proposal for inclusion in the upcoming Release Candidate 👍