|
| 1 | +--- |
| 2 | +title: Platform Vulnerabilities |
| 3 | +description: Known vulnerabilities and important considerations for Flutter developers on different platforms and versions. |
| 4 | +--- |
| 5 | + |
| 6 | +**Important**: The list of supported platforms and versions below is not |
| 7 | +exhaustive and may change over time with new platform updates. Developers |
| 8 | +should always refer to the most up-to-date official platform specific |
| 9 | +documentation for the specific platform they are targeting. |
| 10 | + |
| 11 | +## Android |
| 12 | + |
| 13 | +* **StrandHogg Attack / Task Affinity Vulnerability** |
| 14 | + * **Description**: On Android SDK versions less than 30 |
| 15 | + (Android 11), a vulnerability related to "taskAffinity" allowed |
| 16 | + malicious applications to potentially intercept user interactions |
| 17 | + and data from legitimate applications running in the foreground. |
| 18 | + This attack, known as StrandHogg, could occur when a malicious app |
| 19 | + with a carefully crafted taskAffinity was launched and then brought |
| 20 | + to the foreground, potentially masking itself as the legitimate app. |
| 21 | + * **Affected Versions**: Android SDK versions < 30 (Android 10 and below). |
| 22 | + * **Impact**: Potential interception of sensitive data (e.g., login |
| 23 | + credentials, personal information), unauthorized actions performed on |
| 24 | + behalf of the user. |
| 25 | + * **Mitigation**: |
| 26 | + * **Target SDK Version 30 or higher**: Setting `minSdkVersion` to 30 |
| 27 | + or higher on Android projects applies restrictions that mitigate this |
| 28 | + vulnerability. Android 11 introduced changes to how tasks are managed, |
| 29 | + limiting the ability of apps to manipulate task affinity in this way. |
| 30 | + * **References**: |
| 31 | + * https://developer.android.com/privacy-and-security/risks/strandhogg |
0 commit comments