Android O���s autofill feature offers some interesting potential. However, as with
Android 6.0���s Assist API (the power behind Now-on-Tap/Assistant) and accessibility
services, we are granting third-party apps the ability to examine the contents
of our UI. That may be fine for many apps and many users, but not for all
apps and all users. I expect that Google Play ecosystem devices running
Android O will ship with an autofill service automatically enabled, just as
such devices ship with the Assistant enabled. And so developers of secure
apps, or targeting at-risk users, need to think through how to protect some
or all of their UI from being snooped on by autofill services, since everybody
most likely will have such a service enabled ���out of the box���.

FLAG_SECURE is a typical thing to turn to here, despite
its limitations.
After all, FLAG_SECURE does block information from being delivered to the
Assist API��� or at least it used to (I have not tested it recently).

However, FLAG_SECURE has no impact on autofill services, which can read
and modify secure activities with impunity. Officially, this is
working as intended. That link
is to the security issue that I filed; perhaps one day it will be opened up for
you to be able to read it.

So, secure apps need to not only use FLAG_SECURE but also take other steps
to block autofill services from gaining access to the UI.

At the moment, this NoAssistFrameLayout works.
Wrap that around the secure UI elements, and the autofill service will not
have access to them, based on my testing to date. This also blocks
the Assist API���s access to those UI elements, which is
where this technique originated.