# Android Task Hijacking

### Background

There are four different Launch Modes:

1. standard
2. singleTop
3. singleTask
4. singleInstance

For the attack described here, we are mostly concerned with the “**singleTask**” mode.

One of the possibility with “**singleTask**” activity is it allows other activities to be part of its task. It’s always at the root of its task, but other activities (necessarily “standard” and “singleTop” activities) can be launched into that task.

**Task affinity** is an attribute that is defined in each `<activity>` tag in the `AndroidManifest.xml` file. It describes which Task an Activity prefers to join.\
By default, every activity has the same affinity as the **package** name.

### Grep for singletask to check if Vulnerability exists

<pre><code><strong>apktool d com.example.app
</strong>cd com.example.app

grep -r singleTask .                                                                                  

</code></pre>

If we find the activity whose launchMode is set to **singleTask** then we can hijack the task as it is vulnerable.

### Attack and POC

We need to create a malicious application to exploit this vulnerability

You can import the below POC in your Android Studio projects and replace the package name with you desired Victim Application package name in AndroidManifest.xml as follows:

```
android:taskAffinity="com.example. VICTIMAPPPackage"

```

{% embed url="<https://github.com/smhuda/android-task-hijacking>" %}

<figure><img src="/files/wVEwxEs0ge0oLOImOhHU" alt=""><figcaption></figcaption></figure>

Now save and run the project, Android Studio will install and run the application on the Android device physially connected to your machine.

<figure><img src="/files/re5WUtceBkSfDlkd8ei2" alt=""><figcaption></figcaption></figure>

If you prefer an APK you can follow the step in the screenshots below to build an APK to install on another device or emulator:

<figure><img src="/files/mJxLN7pUkcpumFpi4G7M" alt=""><figcaption></figcaption></figure>

* Now, when the user opens the attacker’s app. it immediately minimises the task.
* It will not be shown in the **recent apps** as well.
* After that, when the user opens the victim app and presses the back button, instead of being taken to home screen. he is taken to the attacker’s application.

Thanks to the **taskAffinity** mentioned by the attackers app which is set to the victims app.

Task hijacking is also known as **StrandHogg** vulnerabilit&#x79;**.**

### **Remediation**

* Set the launchMode to **singleInstance** which will prevent other activities from becoming a part of it’s task.
* A custom **onBackPressed()** function can also be added, to override the default behaviour.
* Setting `taskAffinity=""` can be a quick fix for this issue.

### Finding Write Up

{% embed url="<https://docs.fluidattacks.com/criteria/vulnerabilities/347/#non-compliant-code>" %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://wiki.smhuda.com/pentesting/application-security/mobile-security/android-application-testing/android-task-hijacking.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.