HelloWord-JNI.apk Broken

[MrM0nkey]

Hello,

I am currently reading through the OWASP Mobile Security Testing Guide. I want to install the file https://github.com/OWASP/owasp-mstg/commits/master/Samples/Android/01_HelloWorld-JNI/HelloWord-JNI.apk on my device (Sony Xperia V with android version 4.3) via adb.

The command $adb install HelloWord-JNI.apk generates the following output:

[100%] /data/local/tmp/HelloWord-JNI.apk pkg: /data/local/tmp/HelloWord-JNI.apk Failure [INSTALL_FAILED_INVALID_APK]

It seems that the apk is invalid. I also tried to unzip the apk which generates the ouput:

Archive: HelloWord-JNI.apk End-of-central-directory signature not found. Either this file is not a zipfile, or it constitutes one disk of a multi-part archive. In the latter case the central directory and zipfile comment will be found on the last disk(s) of this archive. unzip: cannot find zipfile directory in one of HelloWord-JNI.apk or HelloWord-JNI.apk.zip, and cannot find HelloWord-JNI.apk.ZIP, period.

Last but not least I tried to decompile the apk with apktools to confirm the issue:

$apktool d HelloWord-JNI.apk I: Using Apktool 2.3.3-dirty on HelloWord-JNI.apk Exception in thread "main" brut.androlib.AndrolibException: brut.directory.DirectoryException: java.util.zip.ZipException: zip END header not found at brut.androlib.ApkDecoder.hasResources(ApkDecoder.java:307) at brut.androlib.ApkDecoder.decode(ApkDecoder.java:103) at brut.apktool.Main.cmdDecode(Main.java:164) at brut.apktool.Main.main(Main.java:73) Caused by: brut.directory.DirectoryException: java.util.zip.ZipException: zip END header not found at brut.directory.ZipRODirectory.<init>(ZipRODirectory.java:55) at brut.directory.ZipRODirectory.<init>(ZipRODirectory.java:38) at brut.directory.ExtFile.getDirectory(ExtFile.java:52) at brut.androlib.ApkDecoder.hasResources(ApkDecoder.java:305) ... 3 more Caused by: java.util.zip.ZipException: zip END header not found at java.base/java.util.zip.ZipFile$Source.zerror(ZipFile.java:1527) at java.base/java.util.zip.ZipFile$Source.findEND(ZipFile.java:1428) at java.base/java.util.zip.ZipFile$Source.initCEN(ZipFile.java:1435) at java.base/java.util.zip.ZipFile$Source.<init>(ZipFile.java:1266) at java.base/java.util.zip.ZipFile$Source.get(ZipFile.java:1229) at java.base/java.util.zip.ZipFile$CleanableResource.<init>(ZipFile.java:727) at java.base/java.util.zip.ZipFile$CleanableResource.get(ZipFile.java:845) at java.base/java.util.zip.ZipFile.<init>(ZipFile.java:245) at java.base/java.util.zip.ZipFile.<init>(ZipFile.java:175) at java.base/java.util.zip.ZipFile.<init>(ZipFile.java:189) at brut.directory.ZipRODirectory.<init>(ZipRODirectory.java:53) ... 6 more

What do you think is this behavior desired?

[commjoen]

Thank you for your bug-report! We will have a look into it soon.

[commjoen]

Hi @MrM0nkey , the minimal Android version is version 5.0, not 4.3 unfortunately.

[commjoen]

Given https://developer.android.com/about/dashboards/ it makes sense not to support anything below 4.4. Can you upgrade your device?

[commjoen]

I did try to unzip the apk as is on the current master branch of the MSTG, and that I could unzip. Can you try to download the mstg again and then try to unzip it? In the meantime, I will create a new apk with support for android 4.4 as well.

[MrM0nkey]

If I download the apk via:

$wget --https-only https://github.com/OWASP/owasp-mstg/commits/master/Samples/Android/01_HelloWorld-JNI/HelloWord-JNI.apk

I was unable to unzip the apk (wget used http anyway). If I clone the whole repository with:

$git clone https://github.com/OWASP/owasp-mstg.git

I can unzip the apk. For me it seems strange that we get two different results but I would say your apk is fine! Thank you for your support.

[commjoen]

You're welcome @MrM0nkey !