This post is from the Arxan blog and has not been updated since the original publish date.
Android Cracks and App Hacks — What Is StrandHogg?
StrandHogg is a critical vulnerability within the Android mobile operating system allowing bad actors to obtain login credentials and gain control of security-sensitive apps. The exploit was originally discovered in 2015 but recently renamed “StrandHogg” — old Norse for a Viking tactic of plundering coastal settlements and ransoming imprisoned natives.
This vulnerability is a manifestation of the Android control setting taskAffinity. Summarily, taskAffinity grants apps the right to declare themselves as friends (Affinity) allowing the Android ‘BACK’ button to work in a seamless, user-friendly way. Conversely, the use of the taskAffinity setting introduced a vector through which malware writers have developed data theft attacks, utilizing this vulnerability to access any type of shared/available data.
Users can configure their apps to avoid StrandHogg exploitation by denying all forms of interaction with other applications where Affinity doesn’t exist. A setting in the Android manifest will protect users from a deluge of false friends inherited as a result of malware activity. Further steps to protect include checks that ensure malware hasn’t changed this setting.
Arxan testing found that 80% of apps don’t use the taskAffinity setting, and that only 10% of those apps take the simple step that would block StrandHogg. Vulnerabilities in the Android operating system will continue to be uncovered and rediscovered. Arxan's code protection tools can render such attacks impossible. Arxan's Android app code-level security features protect apps against code-level exploitation, automatically triggering on suspicious activity, and alert on attacks — all in real-time.