Apktool Receives an Update to 2.2.4, Includes Security Fixes, Support for Android O Final Dev Preview, and More

Apktool Receives an Update to 2.2.4, Includes Security Fixes, Support for Android O Final Dev Preview, and More

Apktool is s very popular piece of software among some of the more dedicated Android enthusiasts. The software has made headlines time and time again with the most recent being in June when Connor Tumbleson was able to receive sponsorship for the project thanks to Sourcetoad. Today, he has announced a new update which brings its version up to 2.2.4 and comes with some important security patches along with a few slowdown fixes when decoding applications.

In case you’re unaware, Apktool is a piece of software that has been written in Java which mainly allows you to disassemble/reverse engineer 3rd party Android applications. Granted, it also does a lot of other things as well, but most people know it for its reverse engineering capabilities. Mr. Tumbleson has just pushed out a big update over the weekend that is likely to make a lot of people happy with the specific fixes that it comes with, as well as support for Android O’s Final Dev Preview.

As mentioned, version 2.2.4 comes with some important security fixes. These issues were disclosed by Chris Shepherd (IBM Security) & Eran Vaknin, Gal Elbaz, Alon Boxiner (Checkpoint), and did so responsibly so that Apktool could be patched before things got out of hand. If you’d like to read into these vulnerabilities in more detail, then you can read more about them here. To summarize, this update patched a XXE Attack (which is more formally known as a XML eXternal Entity Attack) and a XXE OOB Attack (known as the XML eXternal Out-Of-Band Attack) and an Apktool Path Traversal exploit.

There were also some reports of Apktool slowing down when it was used to decode an Android application. There were a number of instances in which this happened and a few of them have been fixed in this update. Issues when rebuilding applications built with aapt2 have been addressed as well. For those who use Apktool in any public facing environment, then it is highly advised that you update the software immediately. If you’re using it in your own personal environment though then the security patches are less important and you can update it as your own leisure.

Apktool v2.4.4 Changelog

  • [#1520] – Android O Final Dev Preview Support
  • [#591] – SnakeYAML 1.1.8 (Android Support)
  • [#1489] – Fix issue with APKs taking longer than usual to parse resources. (Thanks MarcMil)
  • [#1543] – Fix issue with internal binaries not accessible in a Spring boot environment. (Thanks bingqiao)
  • [#1520] – Fix issues with rebuilding applications originally built with aapt2.
  • [#1532] – Patch aapt to support the $ character in resource filenames.
  • [#1561] – Fix issue where apktool was holding locks onto files during execution. (Thanks MarcMil)
  • [#1534] – Fix issue with APKs that last resource in pool is INVALID_TYPE_CONFIG.
  • [#1564] – Fix issue with APKs that are including malformed characters to break parser.
  • Only exit with 0 error code during version commands.
  • Enforce license header on all source files.
  • [Security] Prevent malicous directory traversal with unknown files.
  • [Security] Prevent XXE vulnerability when given a malicious AndroidManifest.xml
  • Upgrade to gradle 4.0.

Source: Connor Tumbleson

Want more posts like this delivered to your inbox? Enter your email to be subscribed to our newsletter.