-
Notifications
You must be signed in to change notification settings - Fork 13.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Run zipalign as last step during APK injection process #7378
Conversation
Running zipalign on an APK after signing and before distribution is considered general best practice. Also, properly aligning an APK makes it less likely to be flagged as suspicious by mobile security solutions. More on zipalign from Google: https://developer.android.com/studio/command-line/zipalign.html
Good change. I'm sceptical that a unzipaligned apk is more suspicious to AV, but it's good practice and reduces the ram usage. |
print_status "Poisoning the manifest with meterpreter permissions..\n" | ||
fix_manifest(tempdir) | ||
|
||
print_status "Rebuilding #{apkfile} with meterpreter injection as #{injected_apk}\n" | ||
run_cmd("apktool b -o #{injected_apk} #{tempdir}/original") | ||
print_status "Signing #{injected_apk}\n" | ||
run_cmd("jarsigner -verbose -keystore ~/.android/debug.keystore -storepass android -keypass android -digestalg SHA1 -sigalg MD5withRSA #{injected_apk} androiddebugkey") | ||
print_status "Aligning #{injected_apk}\n" | ||
FileUtils.mv("#{injected_apk}", "#{unaligned_apk}") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
pedantic but I think we can remove this mv and just do:
run_cmd("zipalign 4 #{injected_apk} #{aligned_apk}")
outputapk = File.read(aligned_apk)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@timwr I'm fine with making this pedantic change. :)
Thanks @timwr ... I agree that this change is worth it for the optimizations alone. On the defensive side, I concede that checking the alignment of an APK, as a quick and easy way to identify a suspicious app, provides limited value. |
Doh! Thought we were doing this. Apparently not. :) |
Many thanks @dana-at-cp ! |
@timwr You're very welcome. Looking forward to contributing more to the project. |
Release NotesThis fix adds zipalign as a final step in the APK injection process exposed via msfvenom. |
This change adds zipalign as a final step in the APK injection process exposed via msfvenom.
Running zipalign on an APK after signing and before distribution
is considered general best practice. Also, properly aligning an APK
makes it less likely to be flagged as suspicious by mobile security
solutions.
More on zipalign from Google:
https://developer.android.com/studio/command-line/zipalign.html
Here is the legitimate APK that I used for testing:
https://www.dropbox.com/s/jnjq8o41uwxazql/Pandora_7.4.apk?dl=0
Verification