Skip to content

Commit af18df1

Browse files
committed
android: update p4a ref
- to include spesmilo/python-for-android@d4432ec see #9215 (comment) - and add a fixme to revisit apkdiff re horrors beyond my comprehension
1 parent 5da46e9 commit af18df1

File tree

2 files changed

+9
-1
lines changed

2 files changed

+9
-1
lines changed

contrib/android/Dockerfile

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -190,7 +190,7 @@ RUN cd /opt \
190190
&& /opt/venv/bin/python3 -m pip install --no-build-isolation --no-dependencies -e .
191191

192192
# install python-for-android
193-
ENV P4A_CHECKOUT_COMMIT="7197c1c28409fbeebd8494093349a2bfd770526a"
193+
ENV P4A_CHECKOUT_COMMIT="d4432ec8d07b8521465d6daddd55046fc0413599"
194194
# ^ from branch electrum_20240930 (note: careful with force-pushing! see #8162)
195195
RUN cd /opt \
196196
&& git clone https://github.com/spesmilo/python-for-android \

contrib/android/apkdiff.py

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -4,6 +4,14 @@
44
import sys
55
from zipfile import ZipFile
66

7+
8+
# FIXME it is possible to hide data in the apk signing block - and then the application
9+
# can introspect itself at runtime and access that, even execute it as code... :/
10+
# see https://source.android.com/docs/security/features/apksigning/v2#apk-signing-block
11+
# https://android.izzysoft.de/articles/named/iod-scan-apkchecks
12+
# https://github.com/obfusk/sigblock-code-poc
13+
# I think if the app did this kind of introspection, that should be caught by code review,
14+
# but still, note that with this current diff script it is possible to smuggle data in the apk.
715
class ApkDiff:
816
IGNORE_FILES = ["META-INF/MANIFEST.MF", "META-INF/CERT.RSA", "META-INF/CERT.SF"]
917

0 commit comments

Comments
 (0)