Task Hijacking

Description

An Android task is a collection of activities that users interact with when performing a certain job. Activities from different apps can reside in the same task which might be used to relocate a malicious activity to your application's task by manipulating the following parameters:

Task Affinity controlled by attribute taskAffinity
Task Reparenting controlled by attribute allowTaskReparenting

Task Affinity is an activity attribute defined in the <activity> tag in the AndroidManifest.xml file. Task Affinity specifies which task that the activity desires to join. By default, all activities in an app have the same affinity, which is the app package name.

XML

<manifest xmlns:android="http://schemas.android.com/apk/res/android" package="co.secureApp.app">
    <application>
        <activity android:name=".ActivityA"></activity>
        <activity android:name=".ActivityB" android:taskAffinity="co.ostorlab.Myapp:taskB"></activity>
    </application>
</manifest>

allowTaskReparenting when set to true for an activity A, and when a new task with the same affinity is brought to the front, the system moves the relocatable activity A from its original hosting task to the new foreground task stack.

Task Hijacking attacks come in different flavors:

Task Affinity Control: application has a package name com.mySecureApp.app and activity A1. A malicious application has two activities M1 and M2 where M2.taskAffinity = com.mySecureApp.app and M2.allowTaskReparenting = true. If the malicious app is open on M2, once you start your application, M2 is relocated to the front and the user will interact with the malicious application.
Single Task Mode: the application has set launch mode to singleTask. A malicious application with M2.taskAffinity = com.mySecureApp.app can hijack the target application task stack.
Task Reparenting: application has set taskReparenting to true. A malicious application can move the target application task to the malicious application stack.

Task hijacking can be used to perform phishing, denial of use attack, and has been exploited in the past by banking malware trojans. New flavors of the attacks (StandHogg 2.0) are extremely hard to detect, as they are code-based attacks.

Task hijacking has been addressed in Android version 11 as a part of a fix of CVE-2020-0267 WindowManager confused deputy.

Recommendation

Different forms of Task Hijacking vulnerabilities require different fixes:

Set the task affinity of the application activities to ""(empty string) in the <activity> tag of the AndroidManifest.xml to force the activities to use a randomly generated task affinity, or set it at the<application> tag to enforce on all activities in the application.

OR

Set the android:launchMode to singleInstance. singleInstance ensure that no other activities will be created in the same task.
Do not specify launch mode set to singleTask or add support for a monitoring service to detect the presence of malicious foreground tasks.
Do not set the flag FLAG_ACTIVITY_NEW_TASK in activity launch intents, or use with the FLAG_ACTIVITY_CLEAR_TASK:

Java

Intent i = new Intent(this, AnActivity.class);
i.addFlags(Intent.FLAG_ACTIVITY_NEW_TASK);
i.addFlags(Intent.FLAG_ACTIVITY_CLEAR_TASK);
startActivity(i);

Do not specify allowReparenting with taskAffinity or add support a monitoring service to detect the presence of malicious foreground tasks.
Prefer the use of Explicit intent, which specify which application will satisfy the intent, by supplying the target application package name or a fully-qualified component class name. Implicit intent only specifies the general action.

Links

Standards

OWASP_MASVS_L2:
- MSTG_PLATFORM_9
PCI_STANDARDS:
- REQ_2_2
- REQ_6_2
- REQ_6_3
- REQ_11_3