Empty task affinity

      Technique limitations
    Technique Explicit empty task affinity
    Against Task hijacking
    Limitations Effective only against StrandHogg v1
    Side effects Minor UX impact, for example: activities may not group as expected
    Recommendations Not recommended due to limited effectiveness.

    To use this countermeasure, set android:taskAffinity="" for all exported activities.

    In Android, taskAffinity is used to define the relationship between different activities and tasks (a stack of activities, "applications" from the user's perspective). By default, all activities in an app have the same affinity and belong to the same task, unless specified otherwise. This default value of the taskAffinity equals to the package name of the application. Task hijacking attacks may exploit this feature by setting the malicious task affinity to the package name of the application that they want to target. This would trick the operating system into displaying a malicious activity in what appears to be the legitimate app's task.

    When you set android:taskAffinity="" for all exported activities in your app, you ensure that these activities do not have a specific affinity towards any task. It prevents malicious activities from associating themselves with the app's task, reducing the risk of task hijacking.


    Table of contents