Ramblings of a Tampa engineer

Apktool v2.6.1 has been released! This is a bug fix release including a low severity security issue.

The security issue I don't think is a true vector for most Apktool users. However, I cannot sit on a patched security issue ethically without a release. It was assigned a CVE, but then revoked after a long discussion that you can probably now read on huntr.

This did lead to some confusion that I apologize for in which a commit did enter the repository under a now wrong CVE. While I was discussing a change in the severity rating, I did not expect the CVE to be removed entirely.

Not too much has occurred in the preparation for v3.0.0, but the decided feature list, including many breaking changes has been decided for 3.0.0.

  • Removing aapt1
  • CLI library replaced (attempting to keep as many parameters unchanged)
  • Linter added for Java style
  • Mapping filenames for unsupported characters or operating systems
  • Optional disabling of dummy resource generation
  • Support for only Android Manifest disassembling (no rebuild)

Depending on how long this might take we may have a few more releases in the 2.6.x series while 3.x is under development.

So welcome to Apktool 2.6.1

This release had 23 commits by 4 people

  • Connor Tumbleson (iBotPeaches) - 20
  • Al Sutton - 1
  • Goooler - 1
  • Yaroslav - 1

As mentioned a smaller release cycle for a security issue.

Changes since 2.6.0

  • [#2686] Add apktool-cli to Maven publishing.
  • [#2687] Add support for signature scheme v4.
  • [#2713] Add commons-lang project to remove deprecated methods from commons-io. (Thanks alsutton)
  • [#2739] Fix temporary files not automatically being removed.
  • [#2637] Support automatic workaround for private resources.
  • Upgrade to commons-cli 1.5.0 (Thanks Goooler)
  • Upgrade to guava 31.0.1 (Thanks Goooler)
  • Upgrade to jengelman.shadow 7.1.0 (Thanks Goooler)
  • Fix licenseFormat[Test/Main] to properly inject variables into license preamble.
  • Fix untrusted classes from being loaded during YAML parsing.


  • Applications are becoming more and more difficult to build with aapt1, using the --use-aapt2 flag during rebuild is a good test.


  • Apktool 2.6.1
    • md5 361f0c97e34aa93c7c1d8aa3e4828f69
    • sha256 bc2b9a87ac5a86905b6ca343c21a0db3bc37bdd51154bc9cdf65523d95895d34
    • Rename to apktool.jar and follow the Instruction Guide if you need help.
You’ve successfully subscribed to Connor Tumbleson
Welcome back! You’ve successfully signed in.
Great! You’ve successfully signed up.
Success! Your email is updated.
Your link has expired
Success! Check your email for magic link to sign-in.