hacktricks/mobile-pentesting/android-app-pentesting/android-task-hijacking.md

75 lines
5.2 KiB
Markdown
Raw Normal View History

# Android Task Hijacking
2022-04-28 16:01:33 +00:00
2024-07-19 09:08:05 +00:00
{% hint style="success" %}
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
2022-04-28 16:01:33 +00:00
2024-07-19 09:08:05 +00:00
<details>
2022-04-28 16:01:33 +00:00
2024-07-19 09:08:05 +00:00
<summary>Support HackTricks</summary>
2024-01-03 10:43:38 +00:00
2024-07-19 09:08:05 +00:00
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
2022-04-28 16:01:33 +00:00
</details>
2024-07-19 09:08:05 +00:00
{% endhint %}
2022-04-28 16:01:33 +00:00
## Task, Back Stack and Foreground Activities
2024-02-08 03:06:37 +00:00
In Android, a **task** is essentially a set of activities that users interact with to complete a specific job, organized within a **back stack**. This stack orders activities based on when they were opened, with the most recent activity displayed at the top as the **foreground activity**. At any moment, only this activity is visible on the screen, making it part of the **foreground task**.
2024-02-08 03:06:37 +00:00
Here's a quick breakdown of activity transitions:
* **Activity 1** starts as the sole activity in the foreground.
* Launching **Activity 2** pushes **Activity 1** to the back stack, bringing **Activity 2** to the foreground.
* Starting **Activity 3** moves **Activity 1** and **Activity 2** further back in the stack, with **Activity 3** now in front.
* Closing **Activity 3** brings **Activity 2** back to the foreground, showcasing Android's streamlined task navigation mechanism.
2024-05-05 17:56:05 +00:00
![https://developer.android.com/images/fundamentals/diagram\_backstack.png](<../../.gitbook/assets/image (698).png>)
## Task affinity attack
2024-02-08 03:06:37 +00:00
### Overview of Task Affinity and Launch Modes
2024-02-08 03:06:37 +00:00
In Android applications, **task affinity** specifies an activity's preferred task, aligning typically with the app's package name. This setup is instrumental in crafting a proof-of-concept (PoC) app for demonstrating the attack.
2024-02-08 03:06:37 +00:00
### Launch Modes
2024-02-08 03:06:37 +00:00
The `launchMode` attribute directs the handling of activity instances within tasks. The **singleTask** mode is pivotal for this attack, dictating three scenarios based on the existing activity instances and task affinity matches. The exploit hinges on the ability of an attacker's app to mimic the target app's task affinity, misleading the Android system into launching the attacker's app instead of the intended target.
2024-02-08 03:06:37 +00:00
### Detailed Attack Steps
2024-02-08 03:06:37 +00:00
1. **Malicious App Installation**: The victim installs the attacker's app on their device.
2. **Initial Activation**: The victim first opens the malicious app, setting up the device for the attack.
3. **Target App Launch Attempt**: The victim attempts to open the target app.
4. **Hijack Execution**: Due to the matching task affinity, the malicious app is launched in place of the target app.
5. **Deception**: The malicious app presents a fake login screen resembling the target app, tricking the user into entering sensitive information.
For a practical implementation of this attack, refer to the Task Hijacking Strandhogg repository on GitHub: [Task Hijacking Strandhogg](https://github.com/az0mb13/Task\_Hijacking\_Strandhogg).
2024-02-08 03:06:37 +00:00
### Prevention Measures
2024-02-08 03:06:37 +00:00
To prevent such attacks, developers can set `taskAffinity` to an empty string and opt for the `singleInstance` launch mode, ensuring their app's isolation from others. Customizing the `onBackPressed()` function offers additional protection against task hijacking.
## **References**
2022-04-05 22:24:52 +00:00
* [**https://blog.dixitaditya.com/android-task-hijacking/**](https://blog.dixitaditya.com/android-task-hijacking/)
* [**https://blog.takemyhand.xyz/2021/02/android-task-hijacking-with.html**](https://blog.takemyhand.xyz/2021/02/android-task-hijacking-with.html)
2022-04-28 16:01:33 +00:00
2024-03-14 23:01:13 +00:00
2024-07-19 09:08:05 +00:00
{% hint style="success" %}
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
2022-04-28 16:01:33 +00:00
2024-07-19 09:08:05 +00:00
<details>
2022-04-28 16:01:33 +00:00
2024-07-19 09:08:05 +00:00
<summary>Support HackTricks</summary>
2024-01-03 10:43:38 +00:00
2024-07-19 09:08:05 +00:00
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
2022-04-28 16:01:33 +00:00
</details>
2024-07-19 09:08:05 +00:00
{% endhint %}