[BUG] Tag attribute name has invalid character

[forty875]

Information

1. Apktool Version (apktool -version) - 2.5.0
2. Operating System (Mac, Linux, Windows) - Windows
3. APK From? (Playstore, ROM, Other) - Sony Select

Stacktrace/Logcat

### Decompile
I: Using Apktool 2.5.0 on base.apk
I: Loading resource table...
I: Decoding AndroidManifest.xml with resources...
I: Loading resource table from file: C:\Users\xxx\AppData\Local\apktool\framework\1.apk
I: Regular manifest package...
I: Decoding file-resources...
I: Decoding values */* XMLs...
I: Baksmaling classes.dex...
I: Baksmaling classes2.dex...
I: Copying assets and libs...
I: Copying unknown files...
I: Copying original files...
I: Copying META-INF/services directory

### Compile
I: Using Apktool 2.5.0
I: Checking whether sources has changed...
I: Smaling smali folder into classes.dex...
I: Checking whether sources has changed...
I: Smaling smali_classes2 folder into classes2.dex...
I: Checking whether resources has changed...
I: Building resources...
W: \AndroidManifest.xml:10: Tag <application> attribute name has invalid character 'O'.
W: \AndroidManifest.xml:10: Tag <application> attribute name has invalid character 'h'.
W: \AndroidManifest.xml:10: Tag <application> attribute name has invalid character ' '.
W: \AndroidManifest.xml:10: Tag <application> attribute name has invalid character '.
W: \AndroidManifest.xml:11: Tag <activity> attribute name has invalid character '
W: '.
W: \AndroidManifest.xml:11: Tag <activity> attribute name has invalid character 'h'.
W: \AndroidManifest.xml:11: Tag <activity> attribute name has invalid character ' '.
W: \AndroidManifest.xml:11: Tag <activity> attribute name has invalid character '
W: '.
W: \AndroidManifest.xml:29: Tag <activity> attribute name has invalid character ''.
W: \AndroidManifest.xml:29: Tag <activity> attribute name has invalid character 'h'.
W: \AndroidManifest.xml:29: Tag <activity> attribute name has invalid character ' '.
W: \AndroidManifest.xml:29: Tag <activity> attribute name has invalid character ''.
I: Copying libs... (/lib)
I: Copying libs... (/kotlin)
I: Copying libs... (/META-INF/services)
I: Building apk file...
I: Copying unknown files/dir...
I: Built apk...

Steps to Reproduce

1. apktool d -f base.apk
2. apktool b base
3. The apk seems to be compiled and i can install it via adb but it won't start when i press the icon

APK

https://www.mediafire.com/file/km6mtz5r3zyqkmd/base.apk/file

AndroidManifest

https://www.mediafire.com/file/smlbc6pn6uzoxoc/AndroidManifest.xml/file

Questions to ask before submission

1. Have you tried apktool d, apktool b without changing anything? yes
2. If you are trying to install a modified apk, did you resign it? yes
3. Are you using the latest apktool version? yes

[iBotPeaches]

So this appears to be an obfuscation that probably happens outside of aapt/aapt2 or at least a custom build.

See its valid in the file

      A: android:name(0x01010003)="qg.яŨ" (Raw: "qg.яŨ")

Then the plaintext

        <activity android:configChanges="keyboardHidden" android:label="@string/application_name" android:name="qg.⠋Ũ" android:screenOrientation="landscape">

I have one idea that maybe our rewriting of the manifest for properties may be malforming that, I'll double check that before I triage this further.

[iBotPeaches]

Looks like only affected properties are the activity ones.

[forty875]

But without correct activity the app won't start. My main goal is to inject ssl certificate into the apk due to i don't have root rights and since Android 7.0 its difficulter to do that without root

[iBotPeaches]

Progress. Still doesn't work, but far less errors.

➜  2526 apktool b base --use-aapt2
I: Using Apktool 2.8.2-22eb80-SNAPSHOT
I: Copying base classes.dex file...
I: Copying base classes2.dex file...
I: Checking whether resources has changed...
I: Building resources...
W: /media/ibotpeaches/AOSP/Apktool/2526/base/AndroidManifest.xml:11: error: attribute 'android:name' in <activity> tag must be a valid Java class name.
W: /media/ibotpeaches/AOSP/Apktool/2526/base/AndroidManifest.xml:29: error: attribute 'android:name' in <activity> tag must be a valid Java class name.
brut.androlib.exceptions.AndrolibException: brut.common.BrutException: could not exec (exit code = 1): [/tmp/brut_util_Jar_20457216808458399121854886757340341501.tmp, link, -o, /tmp/APKTOOL14531588666936688282.tmp, --package-id, 127, --min-sdk-version, 22, --target-sdk-version, 30, --version-code, 21804, --version-name, 2.18.3-NowTV, --no-auto-version, --no-version-vectors, --no-version-transitions, --no-resource-deduping, --allow-reserved-package-id, --no-compile-sdk-metadata, --enable-sparse-encoding, -e, /tmp/APKTOOL11568759962534476383.tmp, -0, arsc, -I, /home/ibotpeaches/.local/share/apktool/framework/1.apk, --manifest, /media/ibotpeaches/AOSP/Apktool/2526/base/AndroidManifest.xml, /media/ibotpeaches/AOSP/Apktool/2526/base/build/resources.zip]
➜  2526       

[iBotPeaches]

Took a look at this again. aapt1 just issues a warning and continues on, but from the report above - it seems it fails.

aapt2 catches it at build-time so you can't even get to runtime, which may be intentional. However, if the application is working prior to any modification and still has the odd character pool. It must work.

So I don't really want to work/focus aapt1 anymore. So my plan is:

• Patch out that error in aapt2.
• Rebuild w/ no changes and run
• See if it crashes related to this error

[iBotPeaches]

Did that process. Didn't work on device.

08-07 06:50:06.777 32168 32168 D AndroidRuntime: Shutting down VM
08-07 06:50:06.778 32168 32168 E AndroidRuntime: FATAL EXCEPTION: main
08-07 06:50:06.778 32168 32168 E AndroidRuntime: Process: de.sky.online, PID: 32168
08-07 06:50:06.778 32168 32168 E AndroidRuntime: java.lang.RuntimeException: Unable to start activity ComponentInfo{de.sky.online/qg.⠊Ũ}: java.lang.NoSuchMethodException: java.lang.Runtime.exec []
08-07 06:50:06.778 32168 32168 E AndroidRuntime: 	at android.app.ActivityThread.performLaunchActivity(ActivityThread.java:3676)
08-07 06:50:06.778 32168 32168 E AndroidRuntime: 	at android.app.ActivityThread.handleLaunchActivity(ActivityThread.java:3813)
08-07 06:50:06.778 32168 32168 E AndroidRuntime: 	at android.app.servertransaction.LaunchActivityItem.execute(LaunchActivityItem.java:101)
08-07 06:50:06.778 32168 32168 E AndroidRuntime: 	at android.app.servertransaction.TransactionExecutor.executeCallbacks(TransactionExecutor.java:135)
08-07 06:50:06.778 32168 32168 E AndroidRuntime: 	at android.app.servertransaction.TransactionExecutor.execute(TransactionExecutor.java:95)
08-07 06:50:06.778 32168 32168 E AndroidRuntime: 	at android.app.ActivityThread$H.handleMessage(ActivityThread.java:2308)
08-07 06:50:06.778 32168 32168 E AndroidRuntime: 	at android.os.Handler.dispatchMessage(Handler.java:106)
08-07 06:50:06.778 32168 32168 E AndroidRuntime: 	at android.os.Looper.loopOnce(Looper.java:201)
08-07 06:50:06.778 32168 32168 E AndroidRuntime: 	at android.os.Looper.loop(Looper.java:288)
08-07 06:50:06.778 32168 32168 E AndroidRuntime: 	at android.app.ActivityThread.main(ActivityThread.java:7898)
08-07 06:50:06.778 32168 32168 E AndroidRuntime: 	at java.lang.reflect.Method.invoke(Native Method)
08-07 06:50:06.778 32168 32168 E AndroidRuntime: 	at com.android.internal.os.RuntimeInit$MethodAndArgsCaller.run(RuntimeInit.java:548)
08-07 06:50:06.778 32168 32168 E AndroidRuntime: 	at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:936)
08-07 06:50:06.778 32168 32168 E AndroidRuntime: Caused by: java.lang.NoSuchMethodException: java.lang.Runtime.exec []
08-07 06:50:06.778 32168 32168 E AndroidRuntime: 	at java.lang.Class.getMethod(Class.java:2103)
08-07 06:50:06.778 32168 32168 E AndroidRuntime: 	at java.lang.Class.getDeclaredMethod(Class.java:2081)
08-07 06:50:06.778 32168 32168 E AndroidRuntime: 	at qg.आŨ.Ū(Unknown Source:1096)
08-07 06:50:06.778 32168 32168 E AndroidRuntime: 	at java.lang.reflect.Method.invoke(Native Method)
08-07 06:50:06.778 32168 32168 E AndroidRuntime: 	at qg.ทŨ.ך(Unknown Source:289)
08-07 06:50:06.778 32168 32168 E AndroidRuntime: 	at qg.ᎢŨ.亭(Unknown Source:115)
08-07 06:50:06.778 32168 32168 E AndroidRuntime: 	at sky.wrapper.tv.MainActivity.Ꭳऊ(Unknown Source:3702)
08-07 06:50:06.778 32168 32168 E AndroidRuntime: 	at sky.wrapper.tv.MainActivity.onCreate(Unknown Source:9)
08-07 06:50:06.778 32168 32168 E AndroidRuntime: 	at android.app.Activity.performCreate(Activity.java:8290)
08-07 06:50:06.778 32168 32168 E AndroidRuntime: 	at android.app.Activity.performCreate(Activity.java:8269)
08-07 06:50:06.778 32168 32168 E AndroidRuntime: 	at android.app.Instrumentation.callActivityOnCreate(Instrumentation.java:1384)
08-07 06:50:06.778 32168 32168 E AndroidRuntime: 	at android.app.ActivityThread.performLaunchActivity(ActivityThread.java:3657)
08-07 06:50:06.778 32168 32168 E AndroidRuntime: 	... 12 more
08-07 06:50:06.781  2022 32196 I DropBoxManagerService: add tag=data_app_crash isTagEnabled=true flags=0x2

So I did a quick diff between the original and rebuilt manifest.

The only difference was debug line numbers, so can't be that. So back to installing the original application, which indeed works. The string block is the same in terms of the strings, but is slightly 1000 bytes larger.

The only obvious difference remaining is Apktool marking all resources as public, which is just the problem of enforcing static resourceIds.

So in short - this stays in the backlog for now.

[Yehh22]

Can you check this sample too? https://anonfiles.com/rbDa0e78zf/sample_apk

In the AndroidManifest.xml, there is invalid characters

<application android:allowBackup="false" android:appComponentFactory="ؓ؜ؘؘؙؙؙؙؚؕؓؕؐؔؕؒؗؓؓؒؐؐ؜ؖ؜ؑؗ؜ؖؗ.ؘؙؙؕؒؐؔ؜ؘؘؘؙؙؒؑؓؒؗؒؕ؜؜ؘؙؙؑؗؕؗؓؑؗؓ" android:debuggable="false" android:extractNativeLibs="true" android:fullBackupContent="false" android:hardwareAccelerated="true" android:icon="@mipmap/app_icon" android:label="@string/app_name" android:name="ؓ؜ؘؘؙؙؙؙؚؕؓؕؐؔؕؒؗؓؓؒؐؐ؜ؖ؜ؑؗ؜ؖؗ.ؘؙؚؐؗؕؐؓؐؐؒؑؒؑؖ؜ؘؘؘؑؗؔ" android:roundIcon="@mipmap/app_icon_round" android:supportsRtl="true" android:theme="@style/AppTheme" android:usesCleartextTraffic="true">

Using aapt2, it errors out

I: Using Apktool 2.8.1
I: Checking whether sources has changed...
I: Checking whether sources has changed...
I: Checking whether sources has changed...
I: Checking whether sources has changed...
I: Checking whether sources has changed...
I: Checking whether sources has changed...
I: Checking whether resources has changed...
I: Building resources...
W: D:\Temp\sample\AndroidManifest.xml:49: error: attribute 'android:name' in <application> tag must be a valid Java class name.
brut.androlib.exceptions.AndrolibException: brut.common.BrutException: could not exec (exit code = 1): [C:\Users\XXX\AppData\Local\Temp\brut_util_Jar_162689223352459012775102248855384572834.tmp, link, -o, C:\Users\XXX\AppData\Local\Temp\APKTOOL15559251847740666573.tmp, --package-id, 127, --min-sdk-version, 24, --target-sdk-version, 31, --version-code, 100074, --version-name, 2.6.0, --no-auto-version, --no-version-vectors, --no-version-transitions, --no-resource-deduping, --allow-reserved-package-id, --enable-sparse-encoding, -e, C:\Users\XXX\AppData\Local\Temp\APKTOOL16603572762818175684.tmp, -0, arsc, -I, C:\Users\XXX\AppData\Local\apktool\framework\1.apk, --manifest, D:\Temp\sample\AndroidManifest.xml, D:\Temp\sample\build\resources.zip]

[iBotPeaches]

@Yehh22 - Without testing - it looks identical to the last.

[AndroidMaster24]

Any updates? Some apps are taking advantages of this bug using obfuscated attribute name

[iBotPeaches]

Any updates? Some apps are taking advantages of this bug using obfuscated attribute name

Just stay subscribed to this issue and you'll get any updates when they occur.