Ramblings of a Tampa engineer

Apktool v2.9.3 has been released! This release is a hot-fix on top of the previous v2.9.2 release for a related security fix.

Discovered by Cl0udG0d the previous path traversal fix was not hardened when running against Windows. It was learned that Windows will handle both path separators (/ and \) which v2.9.2 had previously isolated to the intended OS. Now cleansing of resource names will include both path separators no matter the OS.

Apktool has had a few CVEs over the last decade, but the last one was the most public for sure. I attribute that to the rise of automated detection logic which flagged systems and tools to update their version of Apktool. This meant lots of folks asked for patches to various old versions. Apktool hasn't really taken care in supporting older versions, but will take a more serious effort now.

v2.10.x will be the next large feature release, but a branch v2.9.x exists for security/urgent fixes. We will try and support the last release or two until it doesn't seem worthwhile.


I launched GitHub Sponsors to help provide another alternative for folks showing appreciation. I want to remind folks of two companies that continue to hold a monthly donation for the project.

  • Emerge Tools came online to sponsor the tool.
  • Sourcetoad (self employer) additionally joined to sponsor (as well as a few other projects).

This release had 3 commits by 1 person

  • Connor Tumbleson (iBotPeaches) - 3 commits

Changes since 2.9.2

  • [#3492] Fix #GHSA-vgwr-4w3p-xmjv (Arbitrary file writes on Windows). (Thanks Cl0udG0d)


  • The v2.9.x releases have moved to aapt2 being the default. If you'd like to return to the previous behavior, please use --use-aapt1 during build stage.


You’ve successfully subscribed to Connor Tumbleson
Welcome back! You’ve successfully signed in.
Great! You’ve successfully signed up.
Success! Your email is updated.
Your link has expired
Success! Check your email for magic link to sign-in.