Are PendingIntents created by createPendingResult(int, android.content.Intent, int) secure against Intent spoofing attacks?
Looking into the source code of the Activity class, I see that there is a getPackage(). However, it is not clear to me whether the resulting PendingIntent is restricted only to the app into whose context it was created.
It's not safe.
Frist of all, check this questions to get more details about PendingIntent, and why it's not safe:What is an Android PendingIntent?
Secondly, one very important thing, which the above question's all answers not mentioned, is that the intent inside the PendingIntent could be changed after the PendingIntent being created! Which means, the behavior of the PendingIntent could be changed when you give it to another application. This is controled by the flags paremeter. check for createPendingResult (int requestCode, Intent data, int flags) and Intent.fillIn (Intent other, int flags) for more details.
And CVE-2014-8609 is a very good example, google it.
Finally, from the source code of the Activity class and the PendingIntent class, we can see the implemention of
createPendingResult and PendingIntent.getActivity is very similar, means the returned PendingIntent have same risk.
