OWASP category: MASVS-PLATFORM: Platform Interaction
Overview
The StrandHogg attack / Task Affinity vulnerability was enabled / caused by a design bug in the way Android handled multiple tasks, specifically the feature called task reparenting. Application task reparenting is a feature that allows an application to move an activity from one task to another.
The StrandHogg attack exploits a lack of clarity on how to vet incoming application task stack activities and allows a malicious application to either:
- move a malicious activity to or from a victim stack
- set the malicious activity as the return stack upon completion of a victim activity
This vulnerability is exploited by manipulating the allowTaskReparenting and
taskAffinity settings.
Impact
A malicious application can set the taskAffinity of one of its activities to match the packageName of a target application. This can then be coupled with intent hijacking so that the next time the target application is launched by the user, the malicious application is also launched and displayed on top of the target application.
The Task Affinity vulnerability can then be used to hijack legitimate user actions.
The user could be tricked into providing credentials to a malicious application. By default, once an activity starts and is associated with a task, that association persists for the activity's entire lifecycle. However, setting allowTaskReparenting to true breaks this restriction, allowing an existing activity to be re-parented to a newly created "native" task.
For example, App A can be targeted by App B, redirecting App A activities to an App B activity stack upon return from App A's completed activity. This transition from one app to another is hidden from the user and creates a significant phishing threat.
Mitigations
Update to android:minSdkVersion="30".
The StrandHogg attack / Task affinity vulnerability was originally patched in March 2019 with a newer and more comprehensive variant patched in September 2020. Android SDK versions 30 and newer (Android 11) contain the appropriate OS patches to avoid this vulnerability. While it is possible to partially mitigate version 1 of the StrandHogg attack through individual application configuration, version 2 of the attack can only be prevented by this SDK version patch.
Resources
- Original academic paper describing the vulnerability at Usenix 15{.external}
- Promon Security group's expansion of the original vulnerability{.external}
- Android developer documentation for android:allowTaskReparenting
- Android developer documentation for android:taskAffinity
- Android developer documentation for the application element of android:allowTaskReparenting