OWASP category: MASVS-CODE: Code Quality


public abstract Context createPackageContext (String packageName, int flags)

The method createPackageContext is used when a developer wants to create a context for another application in their own application.

For example, if developers want to get resources from a 3rd-party application or call methods from it, they would use createPackageContext.

However, if an application calls createPackageContext with the CONTEXT_IGNORE_SECURITY and CONTEXT_INCLUDE_CODE flags, and then calls getClassLoader(), this could result in making the application vulnerable to code execution by a malicious application. This can occur, for example, when an attacker impersonates an unclaimed package name (package squatting) that the developer had expected to be present on the user's device.

To summarize the criteria that have to be met to make an application vulnerable to this kind of attack:

Vulnerable App:

Malicious App:

  • Is able to claim the package name that the vulnerable app passes to createPackageContext.
  • Exports android:appComponentFactory.


When createPackageContext is used in an insecure way by an application, this can lead to a malicious application being able to gain arbitrary code execution in the context of the vulnerable application.


Don't call createPackageContext with CONTEXT_IGNORE_SECURITY and CONTEXT_INCLUDE_CODE unless absolutely necessary.

In cases where this is unavoidable, make sure to implement a mechanism to verify the identity of the package you are executing createPackageContext on (e.g. by verifying the package's signature).