Task Hijacking Prevention
| Plan | Platforms | MASVS |
|---|---|---|
| Team | Android | MASVS-PLATFORM-1 |
Overview
TaskHijackingPrevention mitigates StrandHogg 1.0 and 2.0 task-affinity hijacking attacks by hardening the application's task configuration at build time. It clears android:taskAffinity attributes and disables android:allowTaskReparenting on all activities, preventing malicious applications from inserting themselves into the protected app's task stack or hijacking its identity in the recent apps switcher.
Optionally, the launcher activity can be configured with launchMode="singleTask" to further restrict task behavior, though this may impact certain user workflows.
How It Works
Android's task system organizes activities into logical stacks. By default, activities from different applications can share the same task if they have matching taskAffinity values. Malicious apps can exploit this behavior to:
- StrandHogg 1.0: Set a matching
taskAffinityto inject a phishing overlay into the victim app's task, tricking users into entering credentials into the attacker's UI. - StrandHogg 2.0: Use reflection and accessibility services to dynamically hijack task identities without requiring matching package names.
TaskHijackingPrevention applies the following build-time manifest modifications:
Default Behavior
- Clear Task Affinity: Sets
android:taskAffinity=""on the<application>element and all<activity>elements, ensuring activities do not share tasks with external apps. - Disable Task Reparenting: Sets
android:allowTaskReparenting="false"on the<application>element and all non-launcher activities, preventing the system from moving activities between tasks.
Optional Enhancements
- Single Task Launcher (opt-in): When enabled via
forceSingleTaskLauncher=true, the launcher activity receivesandroid:launchMode="singleTask", ensuring only one instance exists and it always starts in its own task. This further restricts task manipulation but may break user experience in apps that expect multiple launcher instances or deep linking behavior.
Allowlist
Activities specified in the allowlist configuration array are excluded from modifications, preserving their original task attributes for compatibility with special-purpose activities.
Leanback Launcher
By default (includeLeanbackLauncher=true), Android TV leanback launcher activities are treated identically to standard launchers and receive the same protections. This can be disabled by setting includeLeanbackLauncher=false.
Threats Mitigated
- StrandHogg 1.0: Prevents task-affinity attacks where malicious apps inject phishing screens into the victim app's task stack.
- StrandHogg 2.0: Hardens task configuration to resist advanced hijacking techniques using reflection and accessibility services.
- Task Stack Manipulation: Blocks unauthorized activity reparenting and task-switching exploits.
- Identity Spoofing: Prevents malicious apps from masquerading as the protected application in the recent apps switcher.
How to Enable the Control
Navigate to Preventative Controls from the AppTego portal, and expand the App Component Security section. Under this section you will find the Task Hijacking Prevention control. Click Enable to enable it for the next build or for it to be applied with a live push (if enabled).
API Configuration Example
{
"TaskHijackingPrevention": {
"protection": true
}
}| Field | Purpose |
|---|---|
protection | Enables task hijacking prevention for protected apps. |
Configuration
The control accepts the following optional parameters in the tenant configuration JSON:
{
"TaskHijackingPrevention": {
"protection": true,
"taskAffinityOverride": "",
"allowlist": ["com.example.app.SpecialActivity"],
"forceSingleTaskLauncher": false,
"includeLeanbackLauncher": true
}
}taskAffinityOverride(string, default""): Custom task affinity value to apply. Empty string (default) clears affinity.allowlist(array of strings): Fully-qualified activity names to exclude from modifications.forceSingleTaskLauncher(boolean, defaultfalse): Iftrue, setslaunchMode="singleTask"on launcher activities. Use with caution.includeLeanbackLauncher(boolean, defaulttrue): Iffalse, Android TV leanback launcher activities are not treated as launchers forsingleTaskpurposes.
Caveats
- Single Task Limitations: Enabling
forceSingleTaskLauncher=truemay break user workflows that rely on multiple launcher instances, deep linking, or app shortcuts. Test thoroughly before enabling in production. - Pre-existing Attributes Preserved: Activities with explicit
taskAffinityorlaunchModevalues already set are not overwritten, ensuring compatibility with host app requirements. - Build-Time Only: This control modifies the manifest at build time and cannot be toggled at runtime. Changes require rebuilding the APK.
- No Runtime Protection: The control does not monitor or block task manipulation at runtime. It relies solely on manifest hardening to prevent attacks.
Support Matrix
| Platform | Minimum Version | Notes |
|---|---|---|
| Android | API 26 (8.0) | Supported. Applied via manifest merge at build time. |
| iOS | — | Not supported. Task-affinity attacks are Android-specific. |
Related Controls
- ExportedComponentsPrevention: Hardens component exposure to prevent IPC-based attacks.
- BackupPrevention: Disables backup mechanisms to prevent data extraction.