Add MASTG content for Android 16 accessibilityDataSensitive protection

[Copilot]

Android 16 introduces accessibilityDataSensitive, allowing developers to mark sensitive UI views to prevent malicious accessibility services from reading or interacting with them unless they declare isAccessibilityTool="true". Views with filterTouchesWhenObscured="true" automatically inherit this protection.

Changes

Knowledge (MASTG-KNOW-0108)

• Documents the feature mechanism, configuration (XML/programmatic), and platform enforcement
• Explains automatic enablement via filterTouchesWhenObscured for backward compatibility

Best Practice (MASTG-BEST-0029)

• Guidance on marking sensitive views (login, payment, PII forms)
• Implementation examples and accessibility tool considerations

Tests

• MASTG-TEST-0321 (static): Detects accessibilityDataSensitive and filterTouchesWhenObscured in layouts and code
• MASTG-TEST-0322 (dynamic): Runtime verification via Frida hooks on getAccessibilityDataSensitive()

Demo (MASTG-DEMO-0083)

• Sample layouts with protected/unprotected views
• Semgrep rules detecting 7 patterns (XML attributes, programmatic APIs, missing protection on sensitive fields)
• Working output showing detection of both explicit and implicit protection

Example Usage

<!-- Explicit protection -->
<EditText
    android:id="@+id/passwordField"
    android:inputType="textPassword"
    android:accessibilityDataSensitive="true" />

<!-- Implicit protection (automatic on Android 16+) -->
<Button
    android:id="@+id/confirmPayment"
    android:filterTouchesWhenObscured="true" />

All content linked to MASWE-0055 and follows MASTG conventions.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• semgrep.dev
  • Triggering command: /home/REDACTED/.local/bin/pysemgrep osemgrep --config ../../../../rules/mastg-android-accessibility-data-sensitive.yaml activity_login.xml --text MASWE-0069 0.md rep MASWE-0069 (dns block)
  • Triggering command: /home/REDACTED/.local/bin/pysemgrep osemgrep --config ../../../../rules/mastg-android-accessibility-data-sensitive.yaml MastgTest.kt --text MASWE-0069 2.md p/bin/grep MASWE-0069 (dns block)
  • Triggering command: /home/REDACTED/.local/bin/pysemgrep osemgrep --config ../../../../rules/mastg-android-accessibility-data-sensitive.yaml activity_login.xml --text MASWE-0069 4.md ndor/bin/grep MASWE-0069 (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

Original prompt

---

This section details on the original issue you should resolve

<issue_title>Create new MASTG Test, Best Practice and Demo for marking UI views in the app as containing sensitive data</issue_title>
<issue_description>Android 16 provides a new, powerful defense in a single line of code: accessibilityDataSensitive. This flag lets you explicitly mark views in your app as containing sensitive data and block malicious apps from seeing or performing interactions on it. If you already use setFilterTouchesWhenObscured(true) to protect your app from tapjacking, your views are automatically treated as sensitive data for accessibility for an instant additional layer of defense with no extra work.

Android 16 and accessibilityDataSensitive: Starting with Android 16 (API level 16) and higher, developers can use the accessibilityDataSensitive flag to further protect sensitive data from malicious accessibility services that are not legitimate accessibility tools. When this flag is set on sensitive views (e.g., login screens, transaction confirmation screens), it restricts apps with accessibility permission from reading or interacting with the sensitive data unless they are declared as an isA11yTool=true in their manifest. This provides a more robust, system-level protection against eavesdropping and click injection attacks that are characteristic of partial occlusion scenarios. Developers can often implicitly enable accessibilityDataSensitive by specifying android:filterTouchesWhenObscured="true" in their layout files.

More info:

https://android-developers.googleblog.com/2025/12/enhancing-android-security-stop-malware.html

https://developer.android.com/privacy-and-security/risks/tapjacking#mitigations</issue_description>

Comments on the Issue (you are @copilot in this section)

@cpholguera Sounds great, thank you! @cpholguera @hharshhsaini you can, but please carefully read the contribution guidelines:

https://mas.owasp.org/contributing/#what-not-to-do

And consider the previously closed PR.</comment_new>

• Fixes Create new MASTG Test, Best Practice and Demo for marking UI views in the app as containing sensitive data #3590

---

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.