Ramblings of a Tampa engineer


Apktool v2.2.4 has been released! This release packs some important security fixes, along with patching some slowdowns Apktool experienced when decoding applications.

This release also had a few security related fixes, I'd like to thank Chris Shepherd (IBM Security) & Eran Vaknin, Gal Elbaz, Alon Boxiner (Checkpoint) who responsibly disclosed these to me. There is a blog post going into details for those who are curious. If you use apktool in a situation that the public can use it (ie some hosted service), you will want to upgrade.

If you missed the news, Apktool received its first sponsor from Sourcetoad which has helped speed development of releases. You can read about that here.

This release had 31 commits by 3 people.

  • Connor Tumbleson (iBotPeaches) - 28 commits
  • Marc Miltenberger (MarcMil) - 2 commits
  • bingqiao - 1 commit

Changes since v2.2.3

  • [#1520] - Android O Final Dev Preview Support
  • [#591] - SnakeYAML 1.1.8 (Android Support)
  • [#1489] - Fix issue with APKs taking longer than usual to parse resources. (Thanks MarcMil)
  • [#1543] - Fix issue with internal binaries not accessible in a Spring boot environment. (Thanks bingqiao)
  • [#1520] - Fix issues with rebuilding applications originally built with aapt2.
  • [#1532] - Patch aapt to support the $ character in resource filenames.
  • [#1561] - Fix issue where apktool was holding locks onto files during execution. (Thanks MarcMil)
  • [#1534] - Fix issue with APKs that last resource in pool is INVALID_TYPE_CONFIG.
  • [#1564] - Fix issue with APKs that are including malformed characters to break parser.
  • Only exit with 0 error code during version commands.
  • Enforce license header on all source files.
  • [Security] Prevent malicous directory traversal with unknown files.
  • [Security] Prevent XXE vulnerability when given a malicious AndroidManifest.xml
  • Upgrade to gradle 4.0.


For those using apktool at your own leisure in your own environment - you can update at your own pace. For those who apktool in any public facing environment, it is highly recommended to upgrade to 2.2.4 due to the included security fixes as soon as possible. As mentioned above, more details to these security issues and steps taken to resolve can be found here.


  • Apktool 2.2.4
    • md5 fad893aea35b598512689cc3c28b2ed8
    • sha256 1f1f186edcc09b8677bc1037f3f812dff89077187b24c8558ca2a89186ea3251
    • Rename to apktool.jar and follow the Instruction Guide if you need help.
You’ve successfully subscribed to Connor Tumbleson
Welcome back! You’ve successfully signed in.
Great! You’ve successfully signed up.
Success! Your email is updated.
Your link has expired
Success! Check your email for magic link to sign-in.