Task stack hijacking #14804
Description
⚠️ Before posting ⚠️
- This is a bug, not a question or an enhancement.
- I've searched for similar issues and didn't find a duplicate.
- I've written a clear and descriptive title for this issue, not just "Bug" or "Crash".
- I agree to follow Nextcloud's Code of Conduct.
Steps to reproduce
Task stack hijacking affects apps with startup modes of singletask and standard
We hijacked the task stack of the application by setting the same taskAffinity. When the user clicks on the application, what is actually displayed is the activity of the attack application we wrote (there is no interface switching process in the entire process, which is very hidden and difficult for the user to discover). By designing the activity in this way, we can mimic the login interface of the application, induce the user to log in, and steal the user's private password information
Reproduction method:
Write an attack application that hijacks the application's task stack by setting the taskAffinity attribute to the package name of soul
Expected behaviour
Repair plan
-
Set the taskAffinity property of the application's activity to empty
-
When the APP is initially enabled, check whether the number of front-end tasks in the activity stack is greater than the initial set value. If it is greater than the initial set value, it is necessary to draw the user's attention to the possibility of disguised malicious attacks in the future. Do not output sensitive information on the page
Example code:
val activityManager = getSystemService(ACTIVITY_SERVICE) as ActivityManager
val appTasks: List = activityManager.getAppTasks()
if (appTasks.isNotEmpty()) {
Val initial Activity Count=5//Assuming that the initial set number of front-end task activities is 5
val taskInfo: RecentTaskInfo = appTasks[0].taskInfo
val numActivities: Int = taskInfo.numActivities
if (numActivities > initialActivityCount) {
//If the number of activities in the current front-end task is greater than the initial set value, a Toast prompt will pop up to remind the user to pay attention to safety
Toast.makeText (this, "Warning: The current front-end task has an abnormal number of activities, which may pose a security risk. Please be careful not to enter sensitive information on subsequent pages! ", Toast.LENGTH_LONG).show()
}
}
Actual behaviour
We hijacked the task stack of the application by setting the same taskAffinity. When the user clicks on the application, what is actually displayed is the activity of the attack application we wrote (there is no interface switching process in the entire process, which is very hidden and difficult for the user to discover). By designing the activity in this way, we can mimic the login interface of the application, induce the user to log in, and steal the user's privacy password information. The specific attack video has been attached
Android version
9.0
Device brand and model
xiaomi 9
Stock or custom OS?
Custom (explain in "additional information")
Nextcloud android app version
3.1.3
Nextcloud server version
WU
Using a reverse proxy?
No
Android logs
No response
Server error logs
Additional information
I currently don't know the version of NextCloud because we haven't logged in yet. Our hijacking occurred when we first clicked on the application