Recent searches
Search options
Administered by:
@IzzyOnDroid@floss.socialGreat to see you're adopting some of the #security features we've implemented earlier this year at #IzzyOnDroid @fdroidorg! Maybe you want to check our documentation on them?
https://android.izzysoft.de/articles/named/iod-scan-apkchecks
* it's SIGNING blocks, not FROSTING blocks
* MEITUAN is about payload, not metadata
* there's no fixed number of blocks as your code assumes (https://gitlab.com/fdroid/fdroidserver/-/merge_requests/1548/diffs)
The article you link to (https://bi-zone.medium.com/easter-egg-in-apk-files-what-is-frosting-f356aa9f4d1) tells you the same :wink:
@fdroidorg Only what you call "Google metadata" (0x2146444E) is the Google Play Frosting Block, neither the DEPENDENCY_INFO_BLOCK (0x504b4453) nor the MEITUAN_APK_CHANNEL_BLOCK (0x71777777) are. And Meituan calls their block Payload themselves:
https://github.com/search?q=repo%3AMeituan-Dianping%2Fwalle%20APK_CHANNEL_BLOCK_ID&type=code
@fdroidorg PS: you can find our corresponding code here:
https://gitlab.com/IzzyOnDroid/repo/-/blob/master/lib/CheckSigningBlocks.py
Note the "UNKNOWN" towards the end of the screenshot, to make sure yet unknown blocks are not missed.
My Android APK signing block payload PoC from Feb 2023 can use either a custom block or hide the payload in the verity padding block.
The IzzyOnDroid scanner will catch either variant, but the F-Droid scanner will miss both.
