> For the complete documentation index, see [llms.txt](https://wiki.smhuda.com/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://wiki.smhuda.com/pentesting/application-security/mobile-security/android-application-testing/android-task-hijacking.md).

# Android Task Hijacking

### Background

There are four different Launch Modes:

1. standard
2. singleTop
3. singleTask
4. singleInstance

For the attack described here, we are mostly concerned with the “**singleTask**” mode.

One of the possibility with “**singleTask**” activity is it allows other activities to be part of its task. It’s always at the root of its task, but other activities (necessarily “standard” and “singleTop” activities) can be launched into that task.

**Task affinity** is an attribute that is defined in each `<activity>` tag in the `AndroidManifest.xml` file. It describes which Task an Activity prefers to join.\
By default, every activity has the same affinity as the **package** name.

### Grep for singletask to check if Vulnerability exists

<pre><code><strong>apktool d com.example.app
</strong>cd com.example.app

grep -r singleTask .                                                                                  

</code></pre>

If we find the activity whose launchMode is set to **singleTask** then we can hijack the task as it is vulnerable.

### Attack and POC

We need to create a malicious application to exploit this vulnerability

You can import the below POC in your Android Studio projects and replace the package name with you desired Victim Application package name in AndroidManifest.xml as follows:

```
android:taskAffinity="com.example. VICTIMAPPPackage"

```

{% embed url="<https://github.com/smhuda/android-task-hijacking>" %}

<figure><img src="/files/wVEwxEs0ge0oLOImOhHU" alt=""><figcaption></figcaption></figure>

Now save and run the project, Android Studio will install and run the application on the Android device physially connected to your machine.

<figure><img src="/files/re5WUtceBkSfDlkd8ei2" alt=""><figcaption></figcaption></figure>

If you prefer an APK you can follow the step in the screenshots below to build an APK to install on another device or emulator:

<figure><img src="/files/mJxLN7pUkcpumFpi4G7M" alt=""><figcaption></figcaption></figure>

* Now, when the user opens the attacker’s app. it immediately minimises the task.
* It will not be shown in the **recent apps** as well.
* After that, when the user opens the victim app and presses the back button, instead of being taken to home screen. he is taken to the attacker’s application.

Thanks to the **taskAffinity** mentioned by the attackers app which is set to the victims app.

Task hijacking is also known as **StrandHogg** vulnerabilit&#x79;**.**

### **Remediation**

* Set the launchMode to **singleInstance** which will prevent other activities from becoming a part of it’s task.
* A custom **onBackPressed()** function can also be added, to override the default behaviour.
* Setting `taskAffinity=""` can be a quick fix for this issue.

### Finding Write Up

{% embed url="<https://docs.fluidattacks.com/criteria/vulnerabilities/347/#non-compliant-code>" %}


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://wiki.smhuda.com/pentesting/application-security/mobile-security/android-application-testing/android-task-hijacking.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.