Bug#884095: flag to force file types
Hans-Christoph Steiner
hans at eds.org
Thu Mar 22 10:49:08 UTC 2018
Chris Lamb:
> Hi Hans!
>
>>> Have we really exhausted the detection route for this? :)
>>
>> I think the detection route has been exhausted. It seems that no one
>> wants to do what it takes to reliably detect APKs.
>
> I'm sorry you think so and, with the greatest of respect, I'm not
> sure this is entirely accurate... at least from my point of view.
>
> Could you perhaps attach or otherwise link to some testcases where
> diffoscope gets the detection wrong? It sounds like a fun challenge,
> if nothing else..
Any Janus APK, including the examples linked to in the github, etc. are
test cases.
It would be literally impossible to auto-detect since a Janus APK is
both a valid DEX file (starting with the bytes "dex") and a functional
ZIP and APK. Most ZIP readers will happily skip any bytes that don't
make sense before the ZIP contents, since the file information is stored
at the end of a ZIP. A Janus APK is technically not an officially valid
ZIP, since it has non-ZIP bytes before the ZIP header. The most recent
APK tools now reject Janus APKs as invalid, but zip tools will still
happily work with them. So in my case, I'd want to compare a valid APK
with a modified version of the valid APK that turns it into a Janus APK.
As for increasing the reliability of the auto-detection, I think libfile
could do a quick check for APK Signature v2 or v3, then reliably mark
the file as an APK (vs. ZIP or JAR).
APK Signature v2:
https://source.android.com/security/apksigning/v2
APK Signature v3:
https://android-review.googlesource.com/c/platform/tools/apksig/+/587834/
.hc
More information about the Reproducible-builds
mailing list