Opened 6 weeks ago

Last modified 35 hours ago

#31992 assigned defect

Remove apktool workaround in #31564

Reported by: gk Owned by: sisbell
Priority: Medium Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords: tbb-rbm, TorBrowserTeam201911
Cc: sisbell, tbb-team Actual Points:
Parent ID: Points: 0.25
Reviewer: Sponsor:

Description

We found a reproducibility issue on Android with the switch to Firefox 68 ESR and the respective toolchain and fixed it by using an apktool downloaded from the Internet. We should remove that workaronud and replace it with a better one (e.g. by switching our compile environment to Debian Buster and using the means the distro provides us with.

Child Tickets

Change History (16)

comment:1 Changed 6 weeks ago by gk

Note: the switch to Debian 10 (aka Buster) is done in #31130.

comment:2 Changed 6 weeks ago by boklm

See ticket:31564#comment:60 for the apt pinning configuration to install the apktool package from testing.

comment:3 Changed 5 weeks ago by sysrqb

Points: 0.25

comment:4 Changed 5 weeks ago by eighthave

One potential problem with using apktool to assemble actual releases: it is considered a suspicious mark since these reassembly techniques are mostly used by malware: https://rednaga.io/2016/07/31/detecting_pirated_and_malicious_android_apps_with_apkid/

comment:5 Changed 4 weeks ago by sisbell

I tried installing apktool when building the container. I download it

https://deb.debian.org/debian/pool/main/a/apktool/apktool_2.4.0-1_all.deb

and use

dpkg -i ./apktool_2.4.0-1_all.deb

I get a bunch of missing dependencies so I'm not sure this is the simplest approach

apt version: 1.8.2
Selecting previously unselected package apktool.
(Reading database ... 4868 files and directories currently installed.)
Preparing to unpack ./apktool_2.4.0-1_all.deb ...
Unpacking apktool (2.4.0-1) ...
dpkg: dependency problems prevent configuration of apktool:
 apktool depends on aapt; however:
  Package aapt is not installed.
 apktool depends on android-framework-res; however:
  Package android-framework-res is not installed.
 apktool depends on default-jre-headless | java8-runtime-headless; however:
  Package default-jre-headless is not installed.
  Package java8-runtime-headless is not installed.
 apktool depends on libantlr3-runtime-java; however:
  Package libantlr3-runtime-java is not installed.
 apktool depends on libcommons-cli-java; however:
  Package libcommons-cli-java is not installed.
 apktool depends on libcommons-io-java; however:
  Package libcommons-io-java is not installed.
 apktool depends on libcommons-lang3-java; however:
  Package libcommons-lang3-java is not installed.
 apktool depends on libguava-java; however:
  Package libguava-java is not installed.
 apktool depends on libsmali-java (>= 2.2.1); however:
  Package libsmali-java is not installed.
 apktool depends on libstringtemplate-java; however:
  Package libstringtemplate-java is not installed.
 apktool depends on libxmlunit-java; however:
  Package libxmlunit-java is not installed.
 apktool depends on libxpp3-java; however:
  Package libxpp3-java is not installed.
 apktool depends on libyaml-snake-java; however:
  Package libyaml-snake-java is not installed.

dpkg: error processing package apktool (--install):
 dependency problems - leaving unconfigured
Errors were encountered while processing:
 apktool

comment:6 Changed 4 weeks ago by gk

Okay, so two questions here:

1) I've been skimming the comments in #31564 again but did not find an answer to my first question in comment:29:ticket:31564: Do we know whether apktool 2.3.4 that comes natively with Buster works or not? https://github.com/iBotPeaches/Apktool/issues/1399 gives conflicting information. If it does work there is no need to do some aptktool related gymnastics here.

2) I am a bit confused about the approach of picking a newer apktool .deb in the face of Debian's [bug 942019 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=942019]. How would that .deb work around the problem mentioned there?

Last edited 3 weeks ago by gk (previous) (diff)

comment:7 in reply to:  6 ; Changed 3 weeks ago by sisbell

Replying to gk:

Okay, so two questions here:

1) I've been skimming the comments in #31564 again but did not find an answer to my first question in comment:29:ticket:31564: Do we know whether apktool 2.3.4 that comes natively with Buster works or not?

The one in buster wasn't working when I tried. It listed as 2.3.4 but all of the dependencies were much older 2.2, so I suspect the packaging was wrong, it wasn't really updated to 2.3.x.

In the downloaded deb we see

 apktool depends on libsmali-java (>= 2.2.1); however:

If we can download 2.3 for these dependencies, it should work

https://github.com/iBotPeaches/Apktool/issues/1399 gives conflicting information. If it does work there is no need to do some aptktool related gymnastics here.

2) I am a bit confused about the approach of picking a newer apktool .deb in the face of Debian's [bug 942019 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=942019]. How would that .deb work around the problem mentioned there?

Given the one from the internet works and the one in buster doesn't, it is unlikely to have anything to do with aapt itself (which is the same in both cases), as suggested in the bugreport.

comment:8 in reply to:  7 ; Changed 3 weeks ago by sysrqb

Replying to sisbell:

Replying to gk:
In the downloaded deb we see

 apktool depends on libsmali-java (>= 2.2.1); however:

If we can download 2.3 for these dependencies, it should work

Can we use apt pinning like eighhave suggested? There's no reason why we should resolve the dependencies ourselves.

2) I am a bit confused about the approach of picking a newer apktool .deb in the face of Debian's bug 942019. How would that .deb work around the problem mentioned there?https://packages.debian.org/sid/apktool

Given the one from the internet works and the one in buster doesn't, it is unlikely to have anything to do with aapt itself (which is the same in both cases), as suggested in the bugreport.

It seems like there was already an upstream bugreport which was closed as not-a-bug.
https://github.com/iBotPeaches/Apktool/issues/2149

But I don't know enough to say where the bug is.

comment:9 in reply to:  8 Changed 3 weeks ago by sisbell

Replying to sysrqb:

Replying to sisbell:

Replying to gk:
In the downloaded deb we see

 apktool depends on libsmali-java (>= 2.2.1); however:

If we can download 2.3 for these dependencies, it should work

Can we use apt pinning like eighhave suggested? There's no reason why we should resolve the dependencies ourselves.

Initially, this was the approach I was taking but with openjdk, I ran into various issues with pinning (see #31130). bolkm suggestion was to just download and install deb and packages directly. So far this is looking cleaner and I'm implementing now for openjdk. I'd like to keep the same approach with apktool and openjdk, if possible.

2) I am a bit confused about the approach of picking a newer apktool .deb in the face of Debian's bug 942019. How would that .deb work around the problem mentioned there?https://packages.debian.org/sid/apktool

Given the one from the internet works and the one in buster doesn't, it is unlikely to have anything to do with aapt itself (which is the same in both cases), as suggested in the bugreport.

It seems like there was already an upstream bugreport which was closed as not-a-bug.
https://github.com/iBotPeaches/Apktool/issues/2149

But I don't know enough to say where the bug is.

comment:10 in reply to:  7 Changed 3 weeks ago by gk

Replying to sisbell:

Replying to gk:

Okay, so two questions here:

1) I've been skimming the comments in #31564 again but did not find an answer to my first question in comment:29:ticket:31564: Do we know whether apktool 2.3.4 that comes natively with Buster works or not?

The one in buster wasn't working when I tried. It listed as 2.3.4 but all of the dependencies were much older 2.2, so I suspect the packaging was wrong, it wasn't really updated to 2.3.x.

What error did you get when trying with 2.3.4?

In the downloaded deb we see

 apktool depends on libsmali-java (>= 2.2.1); however:

If we can download 2.3 for these dependencies, it should work

What makes you believe the packaging was wrong? aptktool depends for instance on aapt (1:8.1.0+r23-3), so why can't it depend on libsmali-java (>= 2.2.1)?

comment:11 in reply to:  7 ; Changed 3 weeks ago by gk

Replying to sisbell:

Replying to gk:

[snip]

2) I am a bit confused about the approach of picking a newer apktool .deb in the face of Debian's [bug 942019 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=942019]. How would that .deb work around the problem mentioned there?

Given the one from the internet works and the one in buster doesn't, it is unlikely to have anything to do with aapt itself (which is the same in both cases), as suggested in the bugreport.

Could you expand on that comment as I don't understand how it addresses my question? How are we avoiding the problem if we download the .deb with all dependencies from Debian if using the that .deb is problematic?

comment:12 in reply to:  11 ; Changed 3 weeks ago by sisbell

Replying to gk:

Replying to sisbell:

Replying to gk:

[snip]

2) I am a bit confused about the approach of picking a newer apktool .deb in the face of Debian's [bug 942019 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=942019]. How would that .deb work around the problem mentioned there?

Given the one from the internet works and the one in buster doesn't, it is unlikely to have anything to do with aapt itself (which is the same in both cases), as suggested in the bugreport.

Could you expand on that comment as I don't understand how it addresses my question? How are we avoiding the problem if we download the .deb with all dependencies from Debian if using the that .deb is problematic?

ApkTool is really just a wrapper around a bunch of other libraries. It's the dependent libraries we need to update. For example, we know that the deb will use smali-lib 2.2.1 (which is part of the set of older libraries with the problem) but is compatible with 2.3. So I was thinking if we can install something like libsmali-java 2.3, ApkTool should work.

comment:13 in reply to:  12 Changed 3 weeks ago by boklm

Replying to sisbell:

Replying to gk:

Replying to sisbell:

Replying to gk:

[snip]

2) I am a bit confused about the approach of picking a newer apktool .deb in the face of Debian's [bug 942019 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=942019]. How would that .deb work around the problem mentioned there?

Given the one from the internet works and the one in buster doesn't, it is unlikely to have anything to do with aapt itself (which is the same in both cases), as suggested in the bugreport.

Could you expand on that comment as I don't understand how it addresses my question? How are we avoiding the problem if we download the .deb with all dependencies from Debian if using the that .deb is problematic?

ApkTool is really just a wrapper around a bunch of other libraries. It's the dependent libraries we need to update. For example, we know that the deb will use smali-lib 2.2.1 (which is part of the set of older libraries with the problem) but is compatible with 2.3. So I was thinking if we can install something like libsmali-java 2.3, ApkTool should work.

What makes you say that the issue is with the smali version?

When I unzip the apktool_2.4.0.jar we currently use, I can see that the file smali.properties contains:

application.version=2.2.6

So it seems that apktool_2.4.0.jar includes smali version 2.2.6. And the libsmali-java package in buster is version 2.2.6 too, so it looks like we are using the same smali version in both cases.

comment:14 in reply to:  7 Changed 3 weeks ago by boklm

Replying to sisbell:

Given the one from the internet works and the one in buster doesn't, it is unlikely to have anything to do with aapt itself (which is the same in both cases), as suggested in the bugreport.

Is aapt really the same in both cases?

I see that apktool_2.4.0.jar includes some files like prebuilt/linux/aapt_64, which looks like a build of aapt. However I don't know which version it is.

comment:15 Changed 2 weeks ago by sysrqb

Keywords: TorBrowserTeam201911 added

comment:16 Changed 35 hours ago by sysrqb

Cc: tbb-team added
Owner: changed from tbb-team to sisbell
Status: newassigned
Note: See TracTickets for help on using tickets.