Android Task Hijacking

Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!

Other ways to support HackTricks:

If you want to see your company advertised in HackTricks or download HackTricks in PDF Check the SUBSCRIPTION PLANS!
Get the official PEASS & HackTricks swag
Discover The PEASS Family, our collection of exclusive NFTs
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @carlospolopm.
Share your hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

Try Hard Security Group

⛓️ External Link

Task, Back Stack and Foreground Activities

In Android, a task is essentially a set of activities that users interact with to complete a specific job, organized within a back stack. This stack orders activities based on when they were opened, with the most recent activity displayed at the top as the foreground activity. At any moment, only this activity is visible on the screen, making it part of the foreground task.

Here's a quick breakdown of activity transitions:

Activity 1 starts as the sole activity in the foreground.
Launching Activity 2 pushes Activity 1 to the back stack, bringing Activity 2 to the foreground.
Starting Activity 3 moves Activity 1 and Activity 2 further back in the stack, with Activity 3 now in front.
Closing Activity 3 brings Activity 2 back to the foreground, showcasing Android's streamlined task navigation mechanism.

$https://developer.android.com/images/fundamentals/diagram\_backstack.png$

Task affinity attack

Overview of Task Affinity and Launch Modes

In Android applications, task affinity specifies an activity's preferred task, aligning typically with the app's package name. This setup is instrumental in crafting a proof-of-concept (PoC) app for demonstrating the attack.

Launch Modes

The launchMode attribute directs the handling of activity instances within tasks. The singleTask mode is pivotal for this attack, dictating three scenarios based on the existing activity instances and task affinity matches. The exploit hinges on the ability of an attacker's app to mimic the target app's task affinity, misleading the Android system into launching the attacker's app instead of the intended target.

Detailed Attack Steps

Malicious App Installation: The victim installs the attacker's app on their device.
Initial Activation: The victim first opens the malicious app, setting up the device for the attack.
Target App Launch Attempt: The victim attempts to open the target app.
Hijack Execution: Due to the matching task affinity, the malicious app is launched in place of the target app.
Deception: The malicious app presents a fake login screen resembling the target app, tricking the user into entering sensitive information.

For a practical implementation of this attack, refer to the Task Hijacking Strandhogg repository on GitHub: Task Hijacking Strandhogg.

Prevention Measures

To prevent such attacks, developers can set taskAffinity to an empty string and opt for the singleInstance launch mode, ensuring their app's isolation from others. Customizing the onBackPressed() function offers additional protection against task hijacking.

References

Try Hard Security Group

⛓️ External Link

https://discord.gg/tryhardsecurity

Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!

Other ways to support HackTricks:

If you want to see your company advertised in HackTricks or download HackTricks in PDF Check the SUBSCRIPTION PLANS!
Get the official PEASS & HackTricks swag
Discover The PEASS Family, our collection of exclusive NFTs
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @carlospolopm.
Share your hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

External Recon Methodology

Pentesting Network

Pentesting Wifi

Phishing Methodology

Basic Forensic Methodology

Memory dump analysis

Partitions/File Systems/Carving

Pcap Inspection

Specific Software/File-Type Tricks

Windows Artifacts

Python Sandbox Escape & Pyscript

Bypass Python sandboxes

Shells (Linux, Windows, MSFVenom)

Linux Privilege Escalation

Docker Security

Docker Breakout / Privilege Escalation

Namespaces

Interesting Groups - Linux Privesc

Bypass Linux Restrictions

Bypass FS protections: read-only / no-exec / Distroless

Linux Post-Exploitation

macOS Security & Privilege Escalation

macOS Apps - Inspecting, debugging and Fuzzing

macOS Kernel & System Extensions

macOS Files, Folders, Binaries & Memory

macOS Process Abuse

macOS IPC - Inter Process Communication

macOS Library Injection

macOS Security Protections

macOS Sandbox

macOS TCC

macOS FS Tricks

macOS Red Teaming

macOS MDM

Windows Local Privilege Escalation

Dll Hijacking

Active Directory Methodology

Abusing Active Directory ACLs/ACEs

AD Certificates

Windows Security Controls

NTLM

Lateral Movement

Stealing Windows Credentials

Basic PowerShell for Pentesters

Android Applications Pentesting

Drozer Tutorial

Frida Tutorial

iOS Pentesting

Pentesting VoIP

Basic VoIP Protocols

21 - Pentesting FTP

25,465,587 - Pentesting SMTP/s

80,443 - Pentesting Web Methodology

Buckets

Drupal

Electron Desktop Apps

PHP Tricks

PHP - Useful Functions & disable_functions/open_basedir bypass

Tomcat

88tcp/udp - Pentesting Kerberos

139,445 - Pentesting SMB

161,162,10161,10162/udp - Pentesting SNMP

1433 - Pentesting MSSQL - Microsoft SQL Server

11211 - Pentesting Memcache

Reflecting Techniques - PoCs and Polygloths CheatSheet

Browser Extension Pentesting Methodology

Cache Poisoning and Cache Deception

Content Security Policy (CSP) Bypass

Cookies Hacking

Dangling Markup - HTML scriptless injection

Deserialization

NodeJS - __proto__ & prototype Pollution

File Inclusion/Path traversal

File Upload

HTTP Request Smuggling / HTTP Desync Attack

Login Bypass

PostMessage Vulnerabilities

SAML Attacks

SQL Injection

MySQL injection

NodeJS - proto & prototype Pollution