Skip to main content
Android Cracks and App Hacks — What Is StrandHogg?

This post is from the Arxan blog and has not been updated since the original publish date.

Last Updated Feb 24, 2020 — Application Security expert

Android Cracks and App Hacks — What Is StrandHogg?

Application Security

StrandHogg is a critical vulnerability within the Android mobile operating system allowing bad actors to obtain login credentials and gain control of security-sensitive apps. The exploit was originally discovered in 2015 but recently renamed “StrandHogg” — old Norse for a Viking tactic of plundering coastal settlements and ransoming imprisoned natives.

This vulnerability is a manifestation of the Android control setting taskAffinity. Summarily, taskAffinity grants apps the right to declare themselves as friends (Affinity) allowing the Android ‘BACK’ button to work in a seamless, user-friendly way. Conversely, the use of the taskAffinity setting introduced a vector through which malware writers have developed data theft attacks, utilizing this vulnerability to access any type of shared/available data.

Users can configure their apps to avoid StrandHogg exploitation by denying all forms of interaction with other applications where Affinity doesn’t exist. A setting in the Android manifest will protect users from a deluge of false friends inherited as a result of malware activity. Further steps to protect include checks that ensure malware hasn’t changed this setting.

Arxan testing found that 80% of apps don’t use the taskAffinity setting, and that only 10% of those apps take the simple step that would block StrandHogg. Vulnerabilities in the Android operating system will continue to be uncovered and rediscovered. Arxan's code protection tools can render such attacks impossible. Arxan's Android app code-level security features protect apps against code-level exploitation, automatically triggering on suspicious activity, and alert on attacks — all in real-time.

 

More from the Blog

View more
Aug 09, 2022

Secure mobile application vulnerabilities with an inside-out approach

Application Security
Effective mobile application security is a comprehensive software secu ...
Read More
Jan 18, 2022

Be aware or beware: Easily insert security into your mobile apps

Application Security
COVID-19 has quickly pushed companies over the technological tipping p ...
Read More
Dec 23, 2021

Using machine learning to detect malicious packages

Application Security
Staying up to date with new technology in today’s advanced digital age ...
Read More
Dec 17, 2021

Log4j: Not the Vulnerability We Want, and Not the Vulnerability We Need

Application Security
Log4j is the reminder we didn’t need: the reminder that vulnerabilitie ...
Read More
Contact Us