Great to see you're adopting some of the #security... | IzzyOnDroid ✅

IzzyOnDroid's posts Post Back to profile

IzzyOnDroid ✅

Great to see you're adopting some of the #security features we've implemented earlier this year at #IzzyOnDroid @fdroidorg! Maybe you want to check our documentation on them?

https://android.izzysoft.de/articles/named/iod-scan-apkchecks

* it's SIGNING blocks, not FROSTING blocks
* MEITUAN is about payload, not metadata
* there's no fixed number of blocks as your code assumes (https://gitlab.com/fdroid/fdroidserver/-/merge_requests/1548/diffs)

The article you link to (https://bi-zone.medium.com/easter-egg-in-apk-files-what-is-frosting-f356aa9f4d1) tells you the same :wink:

screenshot from the merge request adding checks for signing blocks, calling them "frosting blocks", the Meituan Payload block "metadata", and the frosting block "Google metadata"

screenshot from an issue comment to developers, describing the DEPENDENCY_INFO_BLOCK as "frosting block"

Like 6 November at 20:21 | Open on floss.social

1 comment

IzzyOnDroid ✅

@fdroidorg Only what you call "Google metadata" (0x2146444E) is the Google Play Frosting Block, neither the DEPENDENCY_INFO_BLOCK (0x504b4453) nor the MEITUAN_APK_CHANNEL_BLOCK (0x71777777) are. And Meituan calls their block Payload themselves:

https://github.com/search?q=repo%3AMeituan-Dianping%2Fwalle%20APK_CHANNEL_BLOCK_ID&type=code

screenshot from code by Meituan, clearly addressing their block with a "PayloadWriter"

6 November at 20:23 | Open on floss.social