...
| Code Block | ||||||
|---|---|---|---|---|---|---|
| ||||||
public void onCreate(Bundle arg5) {
super.onCreate(arg5);
...
ComponentName v0 = this.getCallingActivity();
if(v0 == null) {
this.finish();
}
else if(!"jp.r246.twicca.equals(v0.getPackageName())) {
this.finish();
}
else {
this.a = this.getIntent().getData();
if(this.a == null) {
this.finish();
}
...
}
}
|
An Android developer can arbitrarily choose a package name, so different app developers could choose the same package name. Therefore, it is generally not recommended to use the package name for validating the caller of the activity. [JSSEC 2013] The recommended alternative is to check the developer's certificate instead of the package name.
However, considering the facts that
- only one app with a particular package name can exist on Google Play; and
- if a user tries to install an app whose package name already exists on the installed apps, the installation either will fail or will overwrite the previously installed app;
Twicca's solution may be logical and safe against the exploitation.
Risk Assessment
Acting on receipt of an intent without validating the caller's identity may lead to sensitive data being revealed or to denial of service.
...