File tree 2 files changed +9
-1
lines changed
2 files changed +9
-1
lines changed Original file line number Diff line number Diff line change @@ -190,7 +190,7 @@ RUN cd /opt \
190
190
&& /opt/venv/bin/python3 -m pip install --no-build-isolation --no-dependencies -e .
191
191
192
192
# install python-for-android
193
- ENV P4A_CHECKOUT_COMMIT="7197c1c28409fbeebd8494093349a2bfd770526a "
193
+ ENV P4A_CHECKOUT_COMMIT="d4432ec8d07b8521465d6daddd55046fc0413599 "
194
194
# ^ from branch electrum_20240930 (note: careful with force-pushing! see #8162)
195
195
RUN cd /opt \
196
196
&& git clone https://github.com/spesmilo/python-for-android \
Original file line number Diff line number Diff line change 4
4
import sys
5
5
from zipfile import ZipFile
6
6
7
+
8
+ # FIXME it is possible to hide data in the apk signing block - and then the application
9
+ # can introspect itself at runtime and access that, even execute it as code... :/
10
+ # see https://source.android.com/docs/security/features/apksigning/v2#apk-signing-block
11
+ # https://android.izzysoft.de/articles/named/iod-scan-apkchecks
12
+ # https://github.com/obfusk/sigblock-code-poc
13
+ # I think if the app did this kind of introspection, that should be caught by code review,
14
+ # but still, note that with this current diff script it is possible to smuggle data in the apk.
7
15
class ApkDiff :
8
16
IGNORE_FILES = ["META-INF/MANIFEST.MF" , "META-INF/CERT.RSA" , "META-INF/CERT.SF" ]
9
17
You can’t perform that action at this time.
0 commit comments