| Technique limitations | |
| Technique | Explicit empty task affinity |
| Against | Task hijacking |
| Limitations | Effective only against StrandHogg v1 |
| Side effects | Minor UX impact, for example, activities may not group as expected |
| Recommendations | Not recommended due to limited effectiveness. |
To use this countermeasure, set android:taskAffinity="" for all exported activities.
In Android, taskAffinity is used to define the relationship between different activities and tasks (a stack of activities, "applications" from the user's perspective). By default, all activities in an app have the same affinity and belong to the same task, unless specified otherwise. Task hijacking attacks may exploit this feature by manipulating task affinity to trick the operating system into displaying a malicious activity in what appears to be the legitimate app's task.
When you set android:taskAffinity="" for all exported activities in your app, you ensure that these activities do not have a specific affinity towards any task. It prevents malicious activities from associating themselves with the app's task, reducing the risk of task hijacking.