Chris Lamb: > Hi Hans! > >>> Have we really exhausted the detection route for this? :) >> >> I think the detection route has been exhausted. It seems that no one >> wants to do what it takes to reliably detect APKs. > > I'm sorry you think so and, with the greatest of respect, I'm not > sure this is entirely accurate... at least from my point of view. > > Could you perhaps attach or otherwise link to some testcases where > diffoscope gets the detection wrong? It sounds like a fun challenge, > if nothing else..
Any Janus APK, including the examples linked to in the github, etc. are test cases. It would be literally impossible to auto-detect since a Janus APK is both a valid DEX file (starting with the bytes "dex") and a functional ZIP and APK. Most ZIP readers will happily skip any bytes that don't make sense before the ZIP contents, since the file information is stored at the end of a ZIP. A Janus APK is technically not an officially valid ZIP, since it has non-ZIP bytes before the ZIP header. The most recent APK tools now reject Janus APKs as invalid, but zip tools will still happily work with them. So in my case, I'd want to compare a valid APK with a modified version of the valid APK that turns it into a Janus APK. As for increasing the reliability of the auto-detection, I think libfile could do a quick check for APK Signature v2 or v3, then reliably mark the file as an APK (vs. ZIP or JAR). APK Signature v2: https://source.android.com/security/apksigning/v2 APK Signature v3: https://android-review.googlesource.com/c/platform/tools/apksig/+/587834/ .hc
