StrandHogg Attack / Task Affinity Vulnerability

OWASP category: MASVS-PLATFORM: Platform Interaction

Overview

The StrandHogg attack / Task Affinity vulnerability was due to a design bug in the way Android handled multiple tasks, specifically the feature called task reparenting. Application task reparenting is a feature that allows an application to move an activity from one task to another.

The StrandHogg attack exploits a lack of clarity on how to vet incoming application task stack activities and allows a malicious application to either:

• move a malicious activity to or from a victim stack
• set the malicious activity as the return stack upon completion of a victim activity.

This vulnerability is exploited by manipulating the allowTaskReparenting and taskAffinity settings.

Impact

A malicious application can set the taskAffinity of one of its activities to match the packageName of a target application. This can then be coupled with intent hijacking so that the next time the target application is launched by the user, the malicious application is also launched and displayed on top of the target application.

The Task Affinity vulnerability can then be used to hijack legitimate user actions.

The user could be tricked into providing credentials to a malicious application. By default, once an activity starts and is associated with a task, that association persists for the activity's entire lifecycle. However, setting allowTaskReparenting to true breaks this restriction, allowing an existing activity to be re-parented to a newly created "native" task.

For example, App A can be targeted by App B, redirecting App A activities to an App B activity stack upon return from App A's completed activity. This transition from one app to another is hidden from the user and creates a significant phishing threat.

Mitigations

Update to android:minSdkVersion="28".

The StrandHogg attack / Task affinity vulnerability was patched in March 2019 and Android SDK versions 28 and newer (Android 9) contain the appropriate OS patches to avoid this vulnerability. While it is possible to partially mitigate version 1 of the StrandHogg attack through individual application configuration, version 2 of the attack can only be prevented by this SDK version patch.

Resources

• Original academic paper describing the vulnerability at Usenix 15
• Promon Security group's expansion of the original vulnerability