lberrymage
commented
2 years ago Status update: progress is very good. The library (apkstat) can extract Android manifests and resource tables from APKs and resolve resource table references when converting binary XML to text. There's simple helper CLI which prints the Android manifest (or arbitrary binary XML, but that's not pretty-printed) of an APK as text.
There are a few bugs around resolving resource references usually encountered when parsing APKs which support multiple languages. These should slowly be weeded out as apkstat's parsing logic becomes closer to AOSP's. apkstat's code left out portions of the AOSP logic initially so that an initial PoC could be tested and improved upon gradually rather than translating thousands of LoC at once and hoping it works. It's now at the point where it mostly works as intended and the gaps should be filled with further translation of upstream code.
Not all Android manifest fields are supported yet, but I'm adding them incrementally to catch discrepancies between input and expected output.
Signature parsing is not supported yet and won't be for a while if it ever is supported. The developer portal doesn't have much of a use for it since app signers are validated locally to distrust the server and apksigner works fine enough for that.
I believe apkstat is already more robust than, more complete than, and has a better API than https://github.com/shogo82148/androidbinary (which was very helpful in getting apkstat off the ground by the way. Thanks to Ichinose Shogo for permissively licensing said project).
The Accrescent developer portal needs to parse uploaded apps for version codes, version names, requested permissions, target SDKs, etc. to display to reviewers and populate repository metadata. No well-maintained Go library exists to parse compiled app manifests and resource files, so we need to write our own library for this purpose.
This library should also be able to parse (not verify) v3(.1)/v4 app signatures and whatever string resources deemed necessary.
We may want to integrate Google's apksig test suite similar to how Avast does to ensure the signature parser is robust.