Closed anilatx closed 3 years ago
Could apk-mitm use no-res, or does it need patching resources?
It does unfortunately patch some resources (AndroidManifest.xml
and network_security_config.xml
), but maybe there's a way to selectively only decode and encode those two files and just keep the rest exactly the same. This might be challenging since all resources are in a single file (resources.arsc
), but I've never used AAPT/AAPT2 manually, so I'm not sure. Feel free to look into this if you want.
Hi @anilatx , may I know how and where did you put this following command?
apktool --use-aapt2 --no-res
I face similiar issues didn't know where to put that. Thanks!!
Hi @anilatx , may I know how and where did you put this following command?
apktool --use-aapt2 --no-res
This command won't help you with your issue. It's just running apktool
(one of the programs apk-mitm
is based on) with different settings that make it impossible to edit the app's resources. Without editing the resources the app can't be patched, so you won't be able to intercept its traffic.
I face similiar issues
Could you post the full error message you're getting?
Sure, here is the error message
npx apk-mitm gojek.apk
npx: installed 126 in 11.742s
╭ apk-mitm v0.8.1
├ apktool v2.4.1
╰ uber-apk-signer v1.1.0
Using temporary directory:
/tmp/63e04a7b1101016acd0febcc54700740
✔ Downloading tools
✔ Decoding APK file
✔ Modifying app manifest
✔ Modifying network security config
✔ Disabling certificate pinning
❯ Encoding patched APK file
↓ Encoding using AAPT2 [skipped]
→ Failed, falling back to AAPT...
✖ Encoding using AAPT [fallback]
→ I: Building resources...
Signing patched APK file
Failed! An error occurred:
I: Using Apktool 2.4.1
I: Checking whether sources has changed...
I: Checking whether sources has changed...
...
I: Checking whether sources has changed...
I: Checking whether resources has changed...
I: Building resources...
brut.androlib.AndrolibException: brut.common.BrutException: could not exec (exit code = 1): [/tmp/brut_util_Jar_4281346303341505678.tmp, p, --forced-package-id, 127, --min-sdk-version, 21, --target-sdk-version, 28, --version-code, 4022, --version-name, 4.2.2, --no-version-vectors, -F, /tmp/APKTOOL2762705306010814363.tmp, -e, /tmp/APKTOOL17732865928305482790.tmp, -0, arsc, -I, <tmp_dir>/framework/1.apk, -S, <tmp_dir>/decode/res, -M, <tmp_dir>/decode/AndroidManifest.xml]
W: invalid resource directory name: <tmp_dir>/decode/res navigation
@shroudedcode Hi, any update on this issue?
@FahmiRR I just released a new version of apk-mitm
that outputs the full logs of all processes in the temporary directory. Could you try patching the APK again with the new version and post the contents of encoding-aapt2.failed.log
here? From my research it seems like the invalid resource directory name: <tmp_dir>/decode/res navigation
error only occurs with AAPT which apk-mitm
only uses when AAPT2 fails. Hence, AAPT2 is probably giving you a more relevant error, but it's not shown by default.
@anilatx If you're still interested in solving your issue, you can try this too: Try patching your APK again with the new version and then post the contents of encoding-aapt2.failed.log
.
@anilatx If you're still interested in solving your issue, you can try this too: Try patching your APK again with the new version and then post the contents of
encoding-aapt2.failed.log
.
[...]
W: /tmp/7800215e0f8f12b4338105fe0dd07b2a/decode/res/values/arrays.xml:307: error: invalid value for type 'array'. Expected a reference.
W: /tmp/7800215e0f8f12b4338105fe0dd07b2a/decode/res/values/arrays.xml: error: file failed to compile.
W: /tmp/7800215e0f8f12b4338105fe0dd07b2a/decode/res/values/public.xml:4896: error: resource 'drawable/$avd_hide_password__0' has invalid entry name '$avd_hide_password__0'. Invalid character '$avd_hide_password__0'.
W: /tmp/7800215e0f8f12b4338105fe0dd07b2a/decode/res/values/public.xml:4897: error: resource 'drawable/$avd_hide_password__1' has invalid entry name '$avd_hide_password__1'. Invalid character '$avd_hide_password__1'.
https://github.com/DexPatcher/dexpatcher-gradle/issues/24 claims to solve it, but I don't know if this could be ported to apk-mitm
Hi @shroudedcode sorry for late reply, hectic week.
Here goes the log
$ cat encoding-aapt2.failed.log
I: Using Apktool 2.4.1
I: Checking whether sources has changed...
I: Smaling smali folder into classes.dex...
I: Checking whether sources has changed...
I: Smaling smali_classes19 folder into classes19.dex...
I: Checking whether sources has changed...
I: Smaling smali_classes15 folder into classes15.dex...
I: Checking whether sources has changed...
I: Smaling smali_classes31 folder into classes31.dex...
I: Checking whether sources has changed...
I: Smaling smali_classes23 folder into classes23.dex...
I: Checking whether sources has changed...
I: Smaling smali_classes2 folder into classes2.dex...
I: Checking whether sources has changed...
I: Smaling smali_classes6 folder into classes6.dex...
I: Checking whether sources has changed...
I: Smaling smali_classes33 folder into classes33.dex...
I: Checking whether sources has changed...
I: Smaling smali_classes24 folder into classes24.dex...
I: Checking whether sources has changed...
I: Smaling smali_classes13 folder into classes13.dex...
I: Checking whether sources has changed...
I: Smaling smali_classes34 folder into classes34.dex...
I: Checking whether sources has changed...
I: Smaling smali_classes3 folder into classes3.dex...
I: Checking whether sources has changed...
I: Smaling smali_classes32 folder into classes32.dex...
I: Checking whether sources has changed...
I: Smaling smali_classes5 folder into classes5.dex...
I: Checking whether sources has changed...
I: Smaling smali_classes22 folder into classes22.dex...
I: Checking whether sources has changed...
I: Smaling smali_classes25 folder into classes25.dex...
I: Checking whether sources has changed...
I: Smaling smali_classes16 folder into classes16.dex...
I: Checking whether sources has changed...
I: Smaling smali_classes8 folder into classes8.dex...
I: Checking whether sources has changed...
I: Smaling smali_classes21 folder into classes21.dex...
I: Checking whether sources has changed...
I: Smaling smali_classes18 folder into classes18.dex...
I: Checking whether sources has changed...
I: Smaling smali_classes27 folder into classes27.dex...
I: Checking whether sources has changed...
I: Smaling smali_classes7 folder into classes7.dex...
I: Checking whether sources has changed...
I: Smaling smali_classes36 folder into classes36.dex...
I: Checking whether sources has changed...
I: Smaling smali_classes10 folder into classes10.dex...
I: Checking whether sources has changed...
I: Smaling smali_classes26 folder into classes26.dex...
I: Checking whether sources has changed...
I: Smaling smali_classes28 folder into classes28.dex...
I: Checking whether sources has changed...
I: Smaling smali_classes29 folder into classes29.dex...
I: Checking whether sources has changed...
I: Smaling smali_classes35 folder into classes35.dex...
I: Checking whether sources has changed...
I: Smaling smali_classes37 folder into classes37.dex...
I: Checking whether sources has changed...
I: Smaling smali_classes30 folder into classes30.dex...
I: Checking whether sources has changed...
I: Smaling smali_classes12 folder into classes12.dex...
I: Checking whether sources has changed...
I: Smaling smali_classes38 folder into classes38.dex...
I: Checking whether sources has changed...
I: Smaling smali_classes4 folder into classes4.dex...
I: Checking whether sources has changed...
I: Smaling smali_classes20 folder into classes20.dex...
I: Checking whether sources has changed...
I: Smaling smali_classes17 folder into classes17.dex...
I: Checking whether sources has changed...
I: Smaling smali_classes9 folder into classes9.dex...
I: Checking whether sources has changed...
I: Smaling smali_classes14 folder into classes14.dex...
I: Checking whether sources has changed...
I: Smaling smali_classes39 folder into classes39.dex...
I: Checking whether sources has changed...
I: Smaling smali_classes11 folder into classes11.dex...
I: Checking whether resources has changed...
I: Building resources...
W: /tmp/69ecfd4c0bb316e2fb426a41a1cfab2d/decode/res/values-anydpi-v26/mipmaps.xml:3: error: invalid value for type 'mipmap'. Expected a reference.
W: /tmp/69ecfd4c0bb316e2fb426a41a1cfab2d/decode/res/values-anydpi-v26/mipmaps.xml:4: error: invalid value for type 'mipmap'. Expected a reference.
W: /tmp/69ecfd4c0bb316e2fb426a41a1cfab2d/decode/res/values-anydpi-v26/mipmaps.xml:5: error: invalid value for type 'mipmap'. Expected a reference.
W: /tmp/69ecfd4c0bb316e2fb426a41a1cfab2d/decode/res/values-anydpi-v26/mipmaps.xml:6: error: invalid value for type 'mipmap'. Expected a reference.
W: /tmp/69ecfd4c0bb316e2fb426a41a1cfab2d/decode/res/values-anydpi-v26/mipmaps.xml: error: file failed to compile.
W: /tmp/69ecfd4c0bb316e2fb426a41a1cfab2d/decode/res/values-h650dp/layouts.xml:3: error: invalid value for type 'layout'. Expected a reference.
W: /tmp/69ecfd4c0bb316e2fb426a41a1cfab2d/decode/res/values-h650dp/layouts.xml: error: file failed to compile.
W: /tmp/69ecfd4c0bb316e2fb426a41a1cfab2d/decode/res/values-hdpi/mipmaps.xml:3: error: invalid value for type 'mipmap'. Expected a reference.
W: /tmp/69ecfd4c0bb316e2fb426a41a1cfab2d/decode/res/values-hdpi/mipmaps.xml:4: error: invalid value for type 'mipmap'. Expected a reference.
W: /tmp/69ecfd4c0bb316e2fb426a41a1cfab2d/decode/res/values-hdpi/mipmaps.xml:5: error: invalid value for type 'mipmap'. Expected a reference.
W: /tmp/69ecfd4c0bb316e2fb426a41a1cfab2d/decode/res/values-hdpi/mipmaps.xml:6: error: invalid value for type 'mipmap'. Expected a reference.
W: /tmp/69ecfd4c0bb316e2fb426a41a1cfab2d/decode/res/values-hdpi/mipmaps.xml:7: error: invalid value for type 'mipmap'. Expected a reference.
W: /tmp/69ecfd4c0bb316e2fb426a41a1cfab2d/decode/res/values-hdpi/mipmaps.xml:8: error: invalid value for type 'mipmap'. Expected a reference.
W: /tmp/69ecfd4c0bb316e2fb426a41a1cfab2d/decode/res/values-hdpi/mipmaps.xml:9: error: invalid value for type 'mipmap'. Expected a reference.
W: /tmp/69ecfd4c0bb316e2fb426a41a1cfab2d/decode/res/values-hdpi/mipmaps.xml:10: error: invalid value for type 'mipmap'. Expected a reference.
W: /tmp/69ecfd4c0bb316e2fb426a41a1cfab2d/decode/res/values-hdpi/mipmaps.xml:11: error: invalid value for type 'mipmap'. Expected a reference.
W: /tmp/69ecfd4c0bb316e2fb426a41a1cfab2d/decode/res/values-hdpi/mipmaps.xml: error: file failed to compile.
W: /tmp/69ecfd4c0bb316e2fb426a41a1cfab2d/decode/res/values-land/layouts.xml:3: error: invalid value for type 'layout'. Expected a reference.
W: /tmp/69ecfd4c0bb316e2fb426a41a1cfab2d/decode/res/values-land/layouts.xml:4: error: invalid value for type 'layout'. Expected a reference.
W: /tmp/69ecfd4c0bb316e2fb426a41a1cfab2d/decode/res/values-land/layouts.xml:5: error: invalid value for type 'layout'. Expected a reference.
brut.androlib.AndrolibException: brut.common.BrutException: could not exec (exit code = 1): [/tmp/brut_util_Jar_11508554350032246091.tmp, compile, --dir, /tmp/69ecfd4c0bb316e2fb426a41a1cfab2d/decode/res, --legacy, -o, /tmp/69ecfd4c0bb316e2fb426a41a1cfab2d/decode/build/resources.zip]
Just want to chime in here @shroudedcode as I'm facing the same issue. Here are the logs:
┌──(kali㉿kali)-[/mnt/hgfs/work/XXXXX_XXX/PENTEST]
└─$ apk-mitm app.apk 1 ⨯
╭ apk-mitm v0.9.0
├ apktool v2.4.1
╰ uber-apk-signer v1.1.0
Using temporary directory:
/tmp/3e0cac3f801457c7d41e3e07be1cb816
✔ Downloading tools
✔ Decoding APK file
✔ Modifying app manifest
✔ Modifying network security config
✔ Disabling certificate pinning
❯ Encoding patched APK file
↓ Encoding using AAPT2 [skipped]
→ Failed, falling back to AAPT...
✖ Encoding using AAPT [fallback]
→ I: Building resources...
Signing patched APK file
Failed! An error occurred:
Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true
I: Using Apktool 2.4.1
I: Checking whether sources has changed...
I: Checking whether sources has changed...
I: Checking whether sources has changed...
I: Checking whether sources has changed...
I: Checking whether sources has changed...
I: Checking whether sources has changed...
I: Checking whether sources has changed...
I: Checking whether sources has changed...
I: Checking whether resources has changed...
I: Building resources...
W: invalid resource directory name: <tmp_dir>/decode/res navigation
brut.androlib.AndrolibException: brut.common.BrutException: could not exec (exit code = 1): [/tmp/brut_util_Jar_15478912897082401338.tmp, p, --forced-package-id, 127, --min-sdk-version, 24, --target-sdk-version, 30, --version-code, 539, --version-name, 3.6.0.7-test, --no-version-vectors, -F, /tmp/APKTOOL1971199918371301395.tmp, -e, /tmp/APKTOOL760420667504589689.tmp, -0, arsc, -I, <tmp_dir>/framework/1.apk, -S, <tmp_dir>/decode/res, -M, <tmp_dir>/decode/AndroidManifest.xml]
The full logs of all commands are available here:
/tmp/3e0cac3f801457c7d41e3e07be1cb816/logs
Full logs:
Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true
I: Using Apktool 2.4.1
I: Checking whether sources has changed...
I: Smaling smali folder into classes.dex...
I: Checking whether sources has changed...
I: Smaling smali_classes3 folder into classes3.dex...
I: Checking whether sources has changed...
I: Smaling smali_classes8 folder into classes8.dex...
I: Checking whether sources has changed...
I: Smaling smali_classes4 folder into classes4.dex...
I: Checking whether sources has changed...
I: Smaling smali_classes6 folder into classes6.dex...
I: Checking whether sources has changed...
I: Smaling smali_classes7 folder into classes7.dex...
I: Checking whether sources has changed...
I: Smaling smali_classes5 folder into classes5.dex...
I: Checking whether sources has changed...
I: Smaling smali_classes2 folder into classes2.dex...
I: Checking whether resources has changed...
I: Building resources...
W: /tmp/3e0cac3f801457c7d41e3e07be1cb816/decode/res/values/public.xml:2326: error: resource 'drawable/$avd_hide_password__0' has invalid entry name '$avd_hide_password__0'. Invalid character '$avd_hide_password__0'.
W: /tmp/3e0cac3f801457c7d41e3e07be1cb816/decode/res/values/public.xml:2327: error: resource 'drawable/$avd_hide_password__1' has invalid entry name '$avd_hide_password__1'. Invalid character '$avd_hide_password__1'.
W: /tmp/3e0cac3f801457c7d41e3e07be1cb816/decode/res/values/public.xml:2328: error: resource 'drawable/$avd_hide_password__2' has invalid entry name '$avd_hide_password__2'. Invalid character '$avd_hide_password__2'.
W: /tmp/3e0cac3f801457c7d41e3e07be1cb816/decode/res/values/public.xml:2329: error: resource 'drawable/$avd_show_password__0' has invalid entry name '$avd_show_password__0'. Invalid character '$avd_show_password__0'.
W: /tmp/3e0cac3f801457c7d41e3e07be1cb816/decode/res/values/public.xml:2330: error: resource 'drawable/$avd_show_password__1' has invalid entry name '$avd_show_password__1'. Invalid character '$avd_show_password__1'.
W: /tmp/3e0cac3f801457c7d41e3e07be1cb816/decode/res/values/public.xml:2331: error: resource 'drawable/$avd_show_password__2' has invalid entry name '$avd_show_password__2'. Invalid character '$avd_show_password__2'.
W: /tmp/3e0cac3f801457c7d41e3e07be1cb816/decode/res/values/public.xml:2332: error: resource 'drawable/$seekbar_thumb_animation__0' has invalid entry name '$seekbar_thumb_animation__0'. Invalid character '$seekbar_thumb_animation__0'.
W: /tmp/3e0cac3f801457c7d41e3e07be1cb816/decode/res/values/public.xml:2333: error: resource 'drawable/$seekbar_thumb_animation__1' has invalid entry name '$seekbar_thumb_animation__1'. Invalid character '$seekbar_thumb_animation__1'.
W: /tmp/3e0cac3f801457c7d41e3e07be1cb816/decode/res/values/public.xml:2334: error: resource 'drawable/$seekbar_thumb_animation_backward__0' has invalid entry name '$seekbar_thumb_animation_backward__0'. Invalid character '$seekbar_thumb_animation_backward__0'.
W: /tmp/3e0cac3f801457c7d41e3e07be1cb816/decode/res/values/public.xml:2335: error: resource 'drawable/$seekbar_thumb_animation_backward__1' has invalid entry name '$seekbar_thumb_animation_backward__1'. Invalid character '$seekbar_thumb_animation_backward__1'.
W: /tmp/3e0cac3f801457c7d41e3e07be1cb816/decode/res/values/public.xml:2336: error: resource 'drawable/$seekbar_thumb_animation_backward__2' has invalid entry name '$seekbar_thumb_animation_backward__2'. Invalid character '$seekbar_thumb_animation_backward__2'.
W: brut_util_Jar_970645252944035523.tmp W 11-05 03:30:19 10865 10865 ApkAssets.cpp:137] resources.arsc in APK '/tmp/3e0cac3f801457c7d41e3e07be1cb816/framework/1.apk' is compressed.
W: /tmp/3e0cac3f801457c7d41e3e07be1cb816/decode/AndroidManifest.xml:37: error: unexpected element <queries> found in <manifest>.
brut.androlib.AndrolibException: brut.common.BrutException: could not exec (exit code = 1): [/tmp/brut_util_Jar_970645252944035523.tmp, link, -o, /tmp/APKTOOL5923173243939730902.tmp, --package-id, 127, --min-sdk-version, 24, --target-sdk-version, 30, --version-code, 539, --version-name, 3.6.0.7-test, --no-auto-version, --no-version-vectors, --no-version-transitions, --no-resource-deduping, -e, /tmp/APKTOOL2832529745531389219.tmp, -0, arsc, -I, /tmp/3e0cac3f801457c7d41e3e07be1cb816/framework/1.apk, --manifest, /tmp/3e0cac3f801457c7d41e3e07be1cb816/decode/AndroidManifest.xml, /tmp/3e0cac3f801457c7d41e3e07be1cb816/decode/build/resources.zip]
I'm running this under latest stable MacOS as host in a Kali as a guest sys.
I can guess two reasons:
I haven't commented on this issue in a while now, but that's not because I haven't been trying to fix it. It's just that even after many hours of research I'm still not sure what's going on. Here's what I know so far, maybe this is helpful to some of you:
apk-mitm
. They also occur when Apktool, which apk-mitm
is built on, is used by itself to decode and then re-encode an APK without making any changes.Here are my two main theories about possible causes for this issue at the moment:
Apktool is incorrectly decoding the resources. I haven't looked into how exactly Apktool decodes resources yet, so I don't know how likely this is, but if this was the case, then only Apktool would really be able to implement a fix for this. Either way, I'd recommend all of you to search through Apktool's issues and upvote the ones that have similar error messages to the ones you're getting since this is affecting all Apktool users.
AAPT2 is finding errors that don't actually matter. If this was the case, then instructing it (or modifying its source code) to ignore these errors would be enough to fix this problem. This is, of course, only possible if these errors are just validation errors and don't actually break the encoding process. I'll have to take a closer look at the AAPT2 source code to figure that out. The DexPatcher issue @anilatx linked might be relevant here, but I haven't managed to get DexPatcher working so far (even with the official examples) and at this point I'm not sure I want to anymore (their documentation is lacking to say the least).
I'll continue to investigate this issue, but I can't make any promises that this will ever be fixed. As much as I also want that to happen (I've run into similar problems many times with APKs I wanted to patch myself), I have to admit that this is simply not an area I know a whole lot about. apk-mitm
started out as a script to automatically run a couple of commands I've seen in different guides and most of the complicated work is really done by Apktool (which is a codebase that I'm not familiar with at all).
Feel free to do some research on this yourself if you want to (trust me, I really don't have that much of a headstart) and let me know if you find out anything interesting.
@shroudedcode I mistakenly linked correct apktool issue in wrong apk-mitm issue - I believe both https://github.com/shroudedcode/apk-mitm/issues/23 and https://github.com/iBotPeaches/Apktool/issues/2271 are about $ in resource name
Solved by 0.9.2.
How can I export log/debug that? So far I identified in logcat:
Root cause (1 of 1)
javax.net.ssl.SSLPeerUnverifiedException: Hostname foo.com not verified:
certificate: sha256/[...]
DN: CN=foo.com,OU=UNTRUSTED SandroProxy,O=UNTRUSTED SandroProxy
subjectAltNames: []
at okhttp3.internal.connection.RealConnection.b(SourceFile:22)
at okhttp3.internal.connection.RealConnection.f(SourceFile:9)
at okhttp3.internal.connection.RealConnection.connect(SourceFile:15)
at okhttp3.internal.connection.ExchangeFinder.c(SourceFile:32)
at okhttp3.internal.connection.ExchangeFinder.d(SourceFile:1)
at okhttp3.internal.connection.ExchangeFinder.b(SourceFile:6)
at okhttp3.internal.connection.Transmitter.e(SourceFile:5)
at okhttp3.internal.connection.ConnectInterceptor.intercept(SourceFile:5)
at okhttp3.internal.http.RealInterceptorChain.proceed(SourceFile:10)
at okhttp3.internal.http.RealInterceptorChain.proceed(SourceFile:1)
at okhttp3.internal.cache.CacheInterceptor.intercept(SourceFile:22)
at okhttp3.internal.http.RealInterceptorChain.proceed(SourceFile:10)
at okhttp3.internal.http.RealInterceptorChain.proceed(SourceFile:1)
at okhttp3.internal.http.BridgeInterceptor.intercept(SourceFile:22)
at okhttp3.internal.http.RealInterceptorChain.proceed(SourceFile:10)
at okhttp3.internal.http.RetryAndFollowUpInterceptor.intercept(SourceFile:6)
at okhttp3.internal.http.RealInterceptorChain.proceed(SourceFile:10)
at okhttp3.internal.http.RealInterceptorChain.proceed(SourceFile:1)
at com.myapp.base.network.interceptor.ImageProfilingNetworkInterceptor.intercept(SourceFile:5)
at okhttp3.internal.http.RealInterceptorChain.proceed(SourceFile:10)
at okhttp3.internal.http.RealInterceptorChain.proceed(SourceFile:1)
at com.myapp.base.network.interceptor.ImageCacheInterceptor.intercept(SourceFile:3)
at okhttp3.internal.http.RealInterceptorChain.proceed(SourceFile:10)
at okhttp3.internal.http.RealInterceptorChain.proceed(SourceFile:1)
at okhttp3.RealCall.e(SourceFile:13)
at okhttp3.RealCall$AsyncCall.execute(SourceFile:2)
at okhttp3.internal.NamedRunnable.run(SourceFile:3)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1162)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:636)
at java.lang.Thread.run(Thread.java:764)
I'm closing this because many of the problems discussed in this issue are both entirely unrelated and can only be solved upstream in Apktool. In my previous comment I was hinting at the possibility of some of these issues being fixed downstream in apk-mitm
, but I have to admit that I no longer think that's feasible. All issues related to decoding and encoding (as long as they're not related to files that apk-mitm
has created or modified) should be reported to Apktool's issue tracker.
I checked and aapt2 fails on invalid references and names that include '$', but following solves it:
Could apk-mitm use no-res, or does it need patching resources?