...
An Android developer can arbitrarily choose a package name, so different app developers could choose the same package name. Therefore, it is generally not recommended to use the package name for validating the caller of the activity. [JSSEC 2013] The recommended alternative is to check the developer's certificate instead of the package name.
However, considering the facts thatfollowing facts, Twicca's solution may be logical and safe against the exploitation:
- Only only one app with a particular package name can exist on Google Play; and .
- if If a user tries to install an app whose package name already exists on the installed apps, the installation either will fail or will overwrite the previously installed app;
...
- .
Risk Assessment
Acting on receipt of an intent without validating the caller's identity may lead to sensitive data being revealed or to denial of service.
...