Apktool

Apktool copied to clipboard

Per deprecation note, this feature will be removed in Apktool ~v2.5.0~ v2.6.0 due to stricter Android builds making it useless.

Could you please specfiy what change in newer android builds breaks this function? I am unable to find any documentation about it online.

@KevinX8 https://source.android.com/security/apksigning#schemes

Injection of files without resigning application will not work without taking out layers of AOSP security with modified ROMs. So best choice of action is to remove the feature to prevent confusion.

@KevinX8 https://source.android.com/security/apksigning#schemes

Injection of files without resigning application will not work without taking out layers of AOSP security with modified ROMs. So best choice of action is to remove the feature to prevent confusion.

Hmm well could you add a warning that the features doesn't work on apps that use v3 or higher instead as the feature is still useful for apps on v2 or lower, which for some reason some app developers still use eg YouTube.

I hate to be annoying but is it possible this feature could be left in apktool? I know V2 and V3 signing makes it redundant but it's still very useful for people trying to mod their system apps (framework-res.apk, SystemUI.apk, ETC). I've yet to encounter any roms where those files are signed with either the V2 or V3 methods.

It's not a major problem if the feature is removed, we can get around it, but it's really handy to have the option there.

As Kevin said, YouTube still uses V1, which makes it handy to modify and add layers to it, can you put a warning for apps that use V3 and higher so it won't break anything and feature will still persist in app

So...is this still set to be removed? It's a useful feature but I do see how it can confuse people.

I'll delay it till 2.6. Should be about 1-1.5 years.

I never did reply to this..

Thank you for delaying the removal. It's very helpful.

Updated tool to reflect delay to 2.6 - https://github.com/iBotPeaches/Apktool/commit/94e224ee3f7ec456ace7ce153d28ab1435de03c8

I renamed 2.5.1 to 2.6.0 and after 2.6.0. Apktool is going in 2 branch directions

• 2.6.1 - fixes release in 1-4 months after 2.6.0
• 3.0.0 - big picture, removable of aapt1, redo option handling for easier maven use, redo cli, breaking changes

tldr - marking this 3.0.0.

I never used it anyway,
copying the original META-INF is a must step anyway, since vendors are keeping there all kind of cr^p for years now, some just licenses and sh!t, some actual their own type of verifications. (I never had to use the original android manifest xml though, but if I did I would have do it by hand as well). I just remove all the RSA, mf and such, before zipping it all and signing it up again with jarsigner.

I'm new to modding, so I'm not sure I follow the thread. Can the original META-INF folder still be used if other files are modified? And the original app signature will remain intact?

No, the signature won't remain intact, this used to work for apps signed with v2 and below that were installed as system apps but now almost every app has switched to v3+, even YouTube which makes this feature obsolete, we found a completely different method to keep signature intact for vanced here: https://github.com/YTVanced/VancedManager/tree/compose/app/src/main/java/com/vanced/manager/core/installer/util

Is Vanced a mod of the YouTube app? If it is, is your method preserving the signature of Vanced, or of YouTube?

Is Vanced a mod of the YouTube app? If it is, is your method preserving the signature of Vanced, or of YouTube?

Yes, it preserves the signature of stock YouTube so that Google play services will function with vanced but the method will work with any app

Can you be my new best friend? I've been trying to capture network traffic from a Unity game. I've followed tutorials to edit network_security_config.xml. After rebuilding, zipaligning, and signing I've gotten to where I can see https traffic with a proxy but the Google Sign-In fails. I'll look through those files a bit more later to try to understand what they're doing (was looking during work for a bit, but had to give up). I haven't been active in Android Studio since before Kotlin came along and I couldn't find a good resource on the shell commands that were being executed. Can you explain it a bit more or is there a better forum to have this discussion?

Can you be my new best friend? I've been trying to capture network traffic from a Unity game. I've followed tutorials to edit network_security_config.xml. After rebuilding, zipaligning, and signing I've gotten to where I can see https traffic with a proxy but the Google Sign-In fails. I'll look through those files a bit more later to try to understand what they're doing (was looking during work for a bit, but had to give up). I haven't been active in Android Studio since before Kotlin came along and I couldn't find a good resource on the shell commands that were being executed. Can you explain it a bit more or is there a better forum to have this discussion?

Sure we can discuss it further on https://discord.gg/vanced

Seems like the new android 13 release (Pixel 6 Pro) enforces the new signature standards on system apps for me now. I can no longer boot a decompiled/recompiled SystemUIGoogle, even when using original signatures.

Noticed Failed to scan /system_ext/priv-app/SystemUIGoogle: No APK Signature Scheme v2 signature in package /system_ext/priv-app/SystemUIGoogle/SystemUIGoogle.apk in the logcat

No longer deprecating this. Still has uses.