...
android:name refers to the name of the class that implements this activity. The name of the package is "jp.co.vulnerable" so the fully qualified name of the class implementing this activity is jp.co.vulnerable.media.yfrog.YfrogUploadDialog. Since the intent filter is defined, this activity is exported to other apps.
...
An Android developer can arbitrarily choose a package name, so different app developers could choose the same package name. Therefore, it is generally not recommended to use the package name for validating the caller of the activity. [JSSEC 2013] The recommended alternative is to check the developer's certificate, instead of the package name.
...
Related Vulnerabilities
- JVN#31860555 twicca Twicca fails to restrict access permissions
...