Great to see you're adopting some of the #security features we've implemented earlier this year at #IzzyOnDroid @fdroidorg! Maybe you want to check our documentation on them?
android.izzysoft.de/articles/n…
* it's SIGNING blocks, not FROSTING blocks
* MEITUAN is about payload, not metadata
* there's no fixed number of blocks as your code assumes (gitlab.com/fdroid/fdroidserver…)
The article you link to (bi-zone.medium.com/easter-egg-…) tells you the same :wink:
Easter Egg in APK Files: What Is Frosting - BI.ZONE - Medium
A file structure is a whole fascinating world with its own history, mysteries and a home-grown circus of freaks, where workarounds are applied liberally. If you dig deeper into it, you can discover…BI.ZONE (Medium)
IzzyOnDroid ✅
in reply to IzzyOnDroid ✅ • • •Only what you call "Google metadata" (0x2146444E) is the Google Play Frosting Block, neither the DEPENDENCY_INFO_BLOCK (0x504b4453) nor the MEITUAN_APK_CHANNEL_BLOCK (0x71777777) are. And Meituan calls their block Payload themselves:
github.com/search?q=repo%3AMei…
GitHub
GitHubIzzyOnDroid ✅
in reply to IzzyOnDroid ✅ • • •PS: you can find our corresponding code here:
gitlab.com/IzzyOnDroid/repo/-/…
Note the "UNKNOWN" towards the end of the screenshot, to make sure yet unknown blocks are not missed.
lib/CheckSigningBlocks.py · master · IzzyOnDroid / repo · GitLab
GitLabFay 🏳️🌈
in reply to IzzyOnDroid ✅ • • •My Android APK signing block payload PoC from Feb 2023 can use either a custom block or hide the payload in the verity padding block.
The IzzyOnDroid scanner will catch either variant, but the F-Droid scanner will miss both.
github.com/obfusk/sigblock-cod…
GitHub - obfusk/sigblock-code-poc: android apk signing block payload poc
GitHub