fix: rename injected entry spec if the name already exists #4043
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Obfuscators can exploit the new missing entry injection to prevent rebuilding by causing entry specs with identical names to be injected.
Example scenario:
res/values/public.xml:
<resources>
<public type="attr" name="existingAttr" id="0x7f010000" />
</resources>
res/values/attrs.xml:
<resources>
<attr name="existingAttr" format="string" />
</resources>
res/layout/issue.xml:
N: android=http://schemas.android.com/apk/res/android (line=2)
N: app=http://schemas.android.com/apk/res-auto (line=2)
E: merge (line=2)
E: TextView (line=4)
A: http://schemas.android.com/apk/res/android:layout_width(0x010100f4)=-2
A: http://schemas.android.com/apk/res/android:layout_height(0x010100f5)=-2
A: http://schemas.android.com/apk/res-auto:existingAttr(0x7f010001)=1
The spec 0x7f010001 is missing and the obfuscator renamed the raw attribute name to "existingAttr", which is already assigned to 0x7f010000.
Apktool will inject a generic spec with the ID 0x7f010001 and the name "existingAttr" - that's a duplicate, and the APK can't be rebuilt.
We patch this hole before obfuscators exploit it.
Collaborator
Author
|
In fact, obfuscators could already have exploited this by renaming entries in the ARSC to some repeated valid name, because we hadn’t enforced name uniqueness until now. |
iBotPeaches
approved these changes
Dec 12, 2025
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Obfuscators can exploit the new missing entry injection to prevent rebuilding by causing entry specs with identical names to be injected.
Example scenario:
res/values/public.xml:
res/values/attrs.xml:
res/layout/issue.xml:
The spec 0x7f010001 is missing and the obfuscator renamed the raw attribute name to "existingAttr", which is already assigned to 0x7f010000.
Apktool will inject a generic spec with the ID 0x7f010001 and the name "existingAttr" - that's a duplicate, and the APK can't be rebuilt.
We patch this hole before obfuscators exploit it.