A set of techniques to protect against StrandHogg on Android
Important
Be aware that StrandHogg is old and the techniques demonstrated in this sample application are not necessary in many cases: see the flow chart in the accompanying blog post to see if you need to take action.
StrandHogg exploits an oversight in Android’s task management that allows a malicious application to insert a malicious activity at the top of the task stack for a targeted application. In other words, it lets applications impersonate other applications and e.g. steal sensitive information.
Two variants of StrandHogg have been identified. The first variant (v1) involves setting the android:taskAffinity
attribute to the task affinity of the targeted application. This is easy to detect, which means that
Google Play will reject such applications. The second variant (v2) uses somewhat more complex code
to inject the malicious activity, and so is more difficult to detect automatically.
Further details can be found in the accompanying blog post.
The application can be built from the command line or within Android Studio:
$ ./gradlew assembleReleaseThe application demonstrates techniques to protect protect against Strandhogg that you can apply to your own application. To get the most out of the example application, the code is best read together with the companion blog post.
These are the components of interest in the application source code:
- MinimizedActivity: The entry point into the app
- MyBootReceiver: Starts
MinimizedActivityon device boot and immediately moves it to the background - RestartMinimizedActivityService: Starts
MinimizedActivityagain and moves it to the background if the app is closed - ForegroundDetectionService: Responsible for checking for StrandHogg attacks if the user navigates away from the app
- StrandhoggProtectionUtils: Contains the actual StrandHogg checks
Contributions, issues and feature requests are welcome. Feel free to check the issues page if you would like to contribute.
Copyright (c) 2002-2023 Guardsquare NV. This project is released under the Apache 2 license.