MobSFScan caught a real StrandHogg 2.0 vuln in my Android app

Was wiring up security CI for a hobby Android project and MobSFScan flagged a real StrandHogg 2.0 task-hijacking vulnerability in MainActivity. Any app with default launchMode and taskAffinity running on Android < 11 is exploitable — a malicious app on the same device can hijack your task and overlay a phishing UI on top of your activities. Properly nasty, properly silent, not the sort of thing that jumps out in code review.

The fix is a one-line manifest change:

<activity
    android:name=".MainActivity"
    android:launchMode="singleInstance"
    android:taskAffinity="">

What surprised me is that a free SAST tool found a CVE-class issue with zero tuning. MobSFScan is going into CI on every Android repo I touch — it’d catch this before it ever ships, and the vuln itself isn’t the kind of thing that comes up in normal Android dev.