Describe the bug
Any file/DIR path passed to child_process with a space in it, results into an error as it's interpreted as multiple different commands together.

To Reproduce
Steps to reproduce the behavior:

1. Rename an APK file, or it's parent DIR to include a space.
2. Open and try to decode using APKLab
3. See error

Expected behavior
It should not throw error and should work correctly.

System Information:

• OS: Ubuntu 18.04
• VS Code Version: 1.52.1

Additional context
The path should be passed to child_process escaped or some other workaround should be used to tell child_process to interpret the path as a single parameter.

Is your feature request related to a problem? Please describe.
No problem. Just a new feature.

Describe the solution you'd like
Provide an option to apply apk-mitm patch once the APK is opened.

Describe alternatives you've considered
Install apk-mitm and let it do the job.

Additional context
Since APKLab has all the tools needed(Apktool, uber-apk-signer, etc.) and ApkTool will have ability to make an APK debuggable too. So less work overall.

iBotPeaches/Apktool#1978

May include:

• Bug Report/Feature request
• Code contribution
• Documentation
• Tests

It'll be nice to parse and display apk signature info after it is decompiled. Since this info can be checked multiple times, it'll be a good idea to store it in a json file. An apklab.json file can be useful for storing such info as well as some other project metadata useful for other features (such as using webviews for a good UX).

Tools to parse signature info:

• Jadx: Shipped with APKLab, uses ApkSig, but CLI tool can't parse certificates. See skylot/jadx#1083
• uber-apk-signer: Shipped with APKLab, uses ApkSig, gives sufficient info using -y --verbose
• apksigner: Not shipped, uses ApkSig, can give info about multiple certificates too using --print-certs --verbose

For now, I think uber-apk-signer will do as it's shipped by default, can give signature info with an expiry date, etc. apksigner can be used in future for better support of this feature or to replace uber-apk-signer entirely.

Is your feature request related to a problem? Please describe.
Currently, the Quark report only shows 100% confidence in activities. However, we found out that most of the 80% confidence activities are also valuable.

Describe the solution you'd like
There is an idea for the issues, and we can implement it if you like to.

Add a checkbox at the Quark report to filter the percentage of confidence.

Let us know if you have any ideas or suggestions. :D

Is your feature request related to a problem? Please describe.
No.
Just a new feature to help the RE.

Describe the solution you'd like
I would like to use a call graph app within VSCode or be able to launch one.
I have found that androguard could be used.
Also it is a 'many' features app.
I did not fully tested it, just the call graph.

Additional solution
By the way, it is a Python app with many dependencies (I am more a Python afficionado).
There is also these following :

• FlowdoidCG dependencies are integrated - old
• apkinspector lots of big dependencies - very old
• apk-static-xref ruby dependend - very old
• AP_CG Java based - old - must alter Main.java file to register the apk

Is your feature request related to a problem? Please describe.
APKLab doesn't detect the version of tools (Apktool, jadx..) and therefore can't suggest updating them.

Describe the solution you'd like
APKLab's updateTools() function should detect the version of tools installed and compare it to what it has in config.json. If the tool has an older version installed then prompt the user to update that tool. If the user chooses so, download and install it and update the related path. Optionally delete the older version too.

Describe alternatives you've considered
Let users manually update the tools.

Additional context

Hello everyone

is this program can help me to extract data from a legacy forticlient apk? because I have been looking for a solution for a week to extract the data file from the application but without success. if anyone can help me on this. the goal of doing this is to deploy the same data on multiple tablets by an MDM. thank you in advance.

https://linkpicture.com/view.php?img=LPic6060646e02164579242038

Describe the bug
Windows 10 Apk open bug

To Reproduce
Steps to reproduce the behavior:

1. ctrl + shift + p
2. Open an APK
3. See error

Expected behavior
Show the UI

Console Logs
Downloading file: apktool_2.4.1.jar
Error: Creating file
Can't download/update dependencies!

System Information:

• Window 10
• VSCode Version: 1.52.1

Two possibilities:

1. Depend on some other extension that manages ADB devices for it. or
2. Implement ADB device manager within this extension.

Is your feature request related to a problem? Please describe.
So when working on app modification it's very common that someone would want to initialize git in decoded project dir for easier tracking of changes.

Describe the solution you'd like
Therefore, let's add this feature to initialize git after decoding/decompiling and just before opening the new window using the below steps:

cd decodedDir
git init
git add -A
git commit -m "initial commit"

Also, it might be useful to expose this as a configuration option so users, who might not need it, can disable it.

Describe alternatives you've considered
Just decode and run the above commands manually.

Additional context
Suggested by @shroudedcode

To do:

• OS: Linux #61
• OS: Windows #63
• OS: macOS #63
• Download and Install dependencies (ApkTool, Jadx, Uber-apk-signer) #61
• Decode APK with ApkTool #61
• Decompile APK with Jadx #61
• Rebuild APK with ApkTool #61
• Clean Resource Framework Dir #74
• Malware Analysis report generation test with Quark-Engine #92
• Apply MITM Patch #158
• git repo initialization in project dir #158
• Verify Signature on Rebuild (builtin and user-provided Keystore)
• Install Resource Framework APK (NYI)

It will be nice to see extract and store all interesting stuff from decompiled java source (java_src dir) or smali or res dir into a json file.

Refs:

• https://github.com/vincentcox/StaCoAn
• https://github.com/CalebFenton/apkfile
• https://github.com/n3k00n3/APKScanner/blob/main/APKScanner.sh
• https://github.com/dwisiswant0/apkleaks

Annotate Smali files with Java source links for methods and/or classes. It could be done as gitlens extension does.

It might not find the exact method because Jadx renames identifiers for deobfuscation, by default. So it either needs to be disabled or let it fail if unable find some methods etc.

Make sure not to conflict with any Smalise feature.

Describe the bug
Cannot decompile APK

To Reproduce
Steps to reproduce the behavior:

1. Edited the absolute path to Apk Signer, Apktool, Jadx settings.json looks as follows:

    "python.pythonPath": "/usr/bin/python3",
    "editor.suggestSelection": "first",
    "vsintellicode.modify.editor.suggestSelection": "automaticallyOverrodeDefaultValue",
    "workbench.iconTheme": "vscode-icons",
    "C_Cpp.updateChannel": "Insiders",
    "python.languageServer": "Microsoft",
    "window.zoomLevel": 1,
    "apklab.apkSignerPath": "/lib/android-sdk/build-tools/debian/apksigner.jar",
    "apklab.jadxDirPath": "/home/roey/jadx/build/jadx/bin/jadx",
    "apklab.apktoolPath": "/usr/share/apktool/apktool.jar"
}

2. Click on:
   CTRL+SHIFT+P -> APKLab: open an APK -> Select APK (/home/roey/ApkProjects/ynet_6.78.apk) ->
   Check decompile_java [Use Jadx] -> Press OK

3. See error:

Decoding ynet_6.78-MOD.apk into /home/roey/ApkProjects/ynet_6.78-MOD...
java -jar /usr/share/apktool/apktool.jar d /home/roey/ApkProjects/ynet_6.78-MOD.apk -o /home/roey/ApkProjects/ynet_6.78-MOD
no main manifest attribute, in /usr/share/apktool/apktool.jar
Decoding process exited with code 1

Expected behavior
A VScode window with decompiled (to smali) APK

Console Logs

System Information:

• OS: Kububntu 20.10 x64
• VSCode Version: 1.50.1

Additional context
Add any other context about the problem here.

Is your feature request related to a problem? Please describe.

Describe the solution you'd like
Support xapk and apks in APKLab.

Describe alternatives you've considered
Extract bundle and use single apk.

Additional context
none

Is your feature request related to a problem? Please describe.
The sub-items for API information in the Quark report don't have indent spaces. So the users may be confused they are at the same level.

Describe the solution you'd like
There is an idea for the issues, and we can implement it if you like to.

Add indent space before the API information in the Quark report.

Let us know if you have any ideas or suggestions. :D

Hello, I'm trying to edit my package name from id.myapplication.main to id.myapplication.main.test and the new apk can't be installed.
Is it wrong to edit the package name that way? Can you tell me the specific rules about changing package names?
Thanks

It is possible to edit package name in apklab? and How? Thanks

Describe the bug
Extension builds fine but fails to start in debug mode(watch) with the latest webpack & webpack-cli.

To Reproduce
Update these deps and press F5

Expected behavior
Extension should start just fine.

For example, I want to add --no-assets to apktool.

I tried to patch & build the Instagram App from here: https://www.apkmirror.com/apk/instagram/instagram-instagram/instagram-instagram-174-0-0-31-132-release/instagram-174-0-0-31-132-android-apk-download/
Errorcode:

Applying patches for HTTPS inspection (MITM)
--------------------------------------------
Using apk-mitm v0.11.1 (https://github.com/shroudedcode/apk-mitm)

[1/3] Modifying app manifest
[2/3] Replacing network security config
[3/3] Disabling certificate pinning
Scanning Smali files...
X/03D: Applied X509TrustManager#checkClientTrusted (javax) patch
X/03D: Applied X509TrustManager#checkServerTrusted (javax) patch
X/03D: Applied X509TrustManager#getAcceptedIssuers (javax) patch
X/03E: Applied HostnameVerifier#verify (javax) patch
X/0e5: Applied HostnameVerifier#verify (javax) patch
X/0HE: Applied X509TrustManager#checkClientTrusted (javax) patch
X/0HE: Applied X509TrustManager#checkServerTrusted (javax) patch
X/0HE: Applied X509TrustManager#getAcceptedIssuers (javax) patch
X/0HF: Applied X509TrustManager#checkClientTrusted (javax) patch
X/0HF: Applied X509TrustManager#checkServerTrusted (javax) patch
X/0HF: Applied X509TrustManager#getAcceptedIssuers (javax) patch
X/0Za: Applied X509TrustManager#checkClientTrusted (javax) patch
X/0Za: Applied X509TrustManager#checkServerTrusted (javax) patch
X/0Za: Applied X509TrustManager#getAcceptedIssuers (javax) patch

Successfully applied MITM patches!
--------------------------------------------
Rebuilding instagram.apk into instagram\dist
--------------------------------------------
java -jar C:\Users\Karl\.apklab\apktool_2.5.0.jar b c:\Users\Karl\Downloads\instagram --use-aapt2
I: Using Apktool 2.5.0
I: Checking whether sources has changed...
I: Smaling smali folder into classes.dex...
I: Checking whether sources has changed...
I: Smaling smali_classes2 folder into classes2.dex...
I: Checking whether sources has changed...
I: Smaling smali_classes3 folder into classes3.dex...
I: Checking whether sources has changed...
I: Smaling smali_classes4 folder into classes4.dex...
I: Checking whether sources has changed...
I: Smaling smali_classes5 folder into classes5.dex...
I: Checking whether resources has changed...
I: Building resources...
W: c:\Users\Karl\Downloads\instagram\res\values-h640dp\layouts.xml:3: error: invalid value for type 'layout'. Expected a reference.
W: c:\Users\Karl\Downloads\instagram\res\values-h640dp\layouts.xml: error: file failed to compile.
W: c:\Users\Karl\Downloads\instagram\res\values-land\layouts.xml:3: error: invalid value for type 'layout'. Expected a reference.
W: c:\Users\Karl\Downloads\instagram\res\values-land\layouts.xml: error: file failed to compile.
W: c:\Users\Karl\Downloads\instagram\res\values-sw600dp\layouts.xml:3: error: invalid value for type 'layout'. Expected a reference.
W: c:\Users\Karl\Downloads\instagram\res\values-sw600dp\layouts.xml:4: error: invalid value for type 'layout'. Expected a reference.
W: c:\Users\Karl\Downloads\instagram\res\values-sw600dp\layouts.xml: error: file failed to compile.
W: c:\Users\Karl\Downloads\instagram\res\values-v22\layouts.xml:3: error: invalid value for type 'layout'. Expected a reference.
W: c:\Users\Karl\Downloads\instagram\res\values-v22\layouts.xml:4: error: invalid value for type 'layout'. Expected a reference.
W: c:\Users\Karl\Downloads\instagram\res\values-v22\layouts.xml:5: error: invalid value for type 'layout'. Expected a reference.
W: c:\Users\Karl\Downloads\instagram\res\values-v22\layouts.xml:6: error: invalid value for type 'layout'. Expected a reference.
W: c:\Users\Karl\Downloads\instagram\res\values-v22\layouts.xml:7: error: invalid value for type 'layout'. Expected a reference.
W: c:\Users\Karl\Downloads\instagram\res\values-v22\layouts.xml:8: error: invalid value for type 'layout'. Expected a reference.
W: c:\Users\Karl\Downloads\instagram\res\values-v22\layouts.xml:9: error: invalid value for type 'layout'. Expected a reference.
W: c:\Users\Karl\Downloads\instagram\res\values-v22\layouts.xml:10: error: invalid value for type 'layout'. Expected a reference.
W: c:\Users\Karl\Downloads\instagram\res\values-v22\layouts.xml:11: error: invalid value for type 'layout'. Expected a reference.
W: c:\Users\Karl\Downloads\instagram\res\values-v22\layouts.xml:12: error: invalid value for type 'layout'. Expected a reference.
W: c:\Users\Karl\Downloads\instagram\res\values-v22\layouts.xml:13: error: invalid value for type 'layout'. Expected a reference.
W: c:\Users\Karl\Downloads\instagram\res\values-v22\layouts.xml:14: error: invalid value for type 'layout'. Expected a reference.
W: c:\Users\Karl\Downloads\instagram\res\values-v22\layouts.xml:15: error: invalid value for type 'layout'. Expected a reference.
brut.androlib.AndrolibException: brut.common.BrutException: could not exec (exit code = 1): [C:\Users\Karl\AppData\Local\Temp\brut_util_Jar_84718649865576701418041492395385499156.tmp, compile, --dir, c:\Users\Karl\Downloads\instagram\res, --legacy, -o, c:\Users\Karl\Downloads\instagram\build\resources.zip]
Rebuilding process exited with code 1```

Any Ideas whats going wrong and how to fix it?

To-Do:

• Clear ApkTool framework dir (useful for update too) #46
• Install new framework-res.apk
• Allow tagging framework during install
• Allow specifying framework tags for decoding

Ref:

• https://ibotpeaches.github.io/Apktool/documentation/#frameworks
• https://ibotpeaches.github.io/Apktool/documentation/#empty-framework-dir

Either try a variation of vscode.openFolder command or something like vscode.env.openExternal(vscode.Uri.parse("vscode://file" + apkDecodeDir)); if it works.

Describe the bug
When I am developing in a Remote Container, apktool, jadx or uber-sign-apk are not found while extracting the apk

To Reproduce
Steps to reproduce the behavior:

1. Launch VSCode in a remote container (base: ubuntu for isntance)
2. Required Add-ons are installed automatically through the vscode/.devcontainer file
3. The apk to test is on the folder from where I launched the Remote Container
4. Launch the ApkLab add-on
5. java -jar d /workspaces/ApkLab-VSCode/InsecureBankv2.apk -o /workspaces/ApkLab-VSCode/InsecureBankv2
   apktool.jar is not found.
   In the add-on settings the Remote (devcontainer) and Worksapce, the path to the tools are properly identified.
   In the filesystem, apktool.jar and uber-sign-apk.jar are executable (chmod +x).

Expected behavior
Just want the apktool to be found so that the apk can be decompiled.

Console Logs

Extracted /root/.apklab/jadx-1.1.0.zip into /root/.apklab/jadx-1.1.0
-------------------------------------------------------------------------
Decoding InsecureBankv2.apk into /workspaces/ApkLab-VSCode/InsecureBankv2
-------------------------------------------------------------------------
java -jar  d /workspaces/ApkLab-VSCode/InsecureBankv2.apk -o /workspaces/ApkLab-VSCode/InsecureBankv2
Error: Unable to access jarfile
Decoding process exited with code 1

Please paste all your console output here... between the details HTML tags!

System Information:

• OS: Ubuntu 20.04
• VSCode Version: 1.50.1
• VSCode Add-on :
  • Docker
  • Remote Container

Additional context
Working in a remote container.
Here is the Dockerfile I am using :

FROM ubuntu:20.04 as ubuntu-downloader

ENV HACKTOOLS_DIR=/home/Developpement/HackingTools

WORKDIR $HACKTOOLS_DIR

# Install adb tools, unzip, wget, signapk and apktool
RUN apt update -y && apt install -y  --no-install-recommends \
    wget \
    unzip

# Download apktool-2 & Rename downloaded jar to apktool.jar
RUN mkdir -p /home/Developpement/HackingTools/ApkTool && \
    wget --no-check-certificate --quiet -O /home/Developpement/HackingTools/ApkTool/apktool https://raw.githubusercontent.com/iBotPeaches/Apktool/master/scripts/linux/apktool && \
    wget --no-check-certificate --quiet -O /home/Developpement/HackingTools/ApkTool/apktool.jar https://bitbucket.org/iBotPeaches/apktool/downloads/apktool_2.4.1.jar



# Pull Ubuntu LTS image.
FROM ubuntu:20.04

# Labels and Credits
LABEL \
    name="Apk Lab Env" \
    author="Rémi Lavedrine <[email protected]>" \
    maintainer="Rémi Lavedrine <[email protected]>" \
    description="Android Security Test (AndroSecTest) is an automated, all-in-one mobile application (Android) security assessment framework capable of performing static."

ENV SRC_DIR=/root/home/apkLab-Results
ENV HACKTOOLS_DIR=/home/Developpement/HackingTools
WORKDIR $SRC_DIR

# Set up the time as Europe/Paris
ENV TZ=Europe/Paris
RUN ln -snf /usr/share/zoneinfo/$TZ /etc/localtime \
    && echo $TZ > /etc/timezone


# Install adb tools, unzip, wget, signapk and apktool
RUN apt update -y && apt install -y --no-install-recommends \
    openjdk-8-jdk \
    usbutils \
    unzip \
    wget \
    android-tools-adb \
    bash-completion \
    golang-go \
    gcc


# Download apktool-2 & Rename downloaded jar to apktool.jar
RUN wget --no-check-certificate --quiet -O /usr/local/bin/apktool https://raw.githubusercontent.com/iBotPeaches/Apktool/master/scripts/linux/apktool && \
    wget --no-check-certificate --quiet -O /usr/local/bin/apktool.jar https://bitbucket.org/iBotPeaches/apktool/downloads/apktool_2.4.1.jar && \
    chmod +x /usr/local/bin/apktool && \
    chmod +x /usr/local/bin/apktool.jar


# Install zsh as the default shell within the container.
RUN apt install -y --no-install-recommends git zsh && chsh -s /usr/bin/zsh

RUN sh -c "$(wget -O- https://github.com/deluan/zsh-in-docker/releases/download/v1.1.1/zsh-in-docker.sh)" -- \
    -t https://github.com/denysdovhan/spaceship-prompt \
    -a 'SPACESHIP_PROMPT_ADD_NEWLINE="false"' \
    -a 'SPACESHIP_PROMPT_SEPARATE_LINE="false"' \
    -p git \
    -p sudo \
    -p https://github.com/zsh-users/zsh-autosuggestions \
    -p https://github.com/zsh-users/zsh-completions

Use APKLab/ERROR, APKLab/INFO, or something similar.

Is your feature request related to a problem? Please describe.
We found that Quark takes a long time to analyze large size APK. If we let Quark execute with other decompile tools (Jadx, APKtool) initially, users may wait a long time.

Describe the solution you'd like
There is an idea for the issues, and we can implement it if you like to.

We can move the Quark analysis option from quick-pick items and put it in the menu on quarkReport.json (quarkReport.json initially create as an empty file), so the users can decide to use Quark after decompiled.

Let us know if you have any ideas or suggestions :D

I just found this great extension. Is it possible to add option also to disable automatically creating git?
Thank you

Is your feature request related to a problem? Please describe.
To develop, I use an environment which is shared accross different computers with different partition structures.
I use environment variables to set my environment around VSCode (VSCodium).
Using absolute path in settings is a bit pain cause I need to change it every time I change my computer.

Describe the solution you'd like
I would like to be able to use environment variables in path settings ${env:MYVAR} or relativ paths.

The bug
Upon executing any command, the jar path file (either apktool or uber signer) isn't getting used in the command line, e.g:

java -jar d <path/to/my/apk>

The path of the jar is missing, although the extension downloads it. I hardcoded a correct path in the extension settings, without success.

Expected behavior
The extension should not re-download the jar files at every command, and should be using them in the final command lines e.g:

java -jar <path/to/apktool> d <path/to/my/apk>

Console Logs

System Information:

• OS: Ubuntu 18.04.1
• VSCode Version: 1.48.1

Is your feature request related to a problem? Please describe.
Quark engine is a apk analyzer that can quicky tell users what this apk does. So we're thinking about integrating quark as one of the analyzers. Users can first use quark to have a quick look of the apk and then dive in the details with the features apklab provides.

Belows are features and reports released recently.

Reference

Instead of making users download apktool and uber-apk-signer download it on activation of this extension.

I try to change the LAUNCHER Activity of an app. In the AndroidManifest.xml I just switch the Launcher Activity e.g. SplashActivity with MainActivity and MainActivity gets SplashScreen. I save my changes and try rebuild the apk. I get success messages, but after I install the app with help of "Split APK installer" I get the message, that the AndroidManifest.xml can not be found. How to rebuild the apk with modified AndroidManifest.xml? Is it possible?
I try to do it, as because I suppose there is a check in the SplashScreenActivity which checks for a modified apk, as I modified it before with apk-mitm. I try to avoid that check by changing the launcher to a different activity.

Expected behavior
The modified AndroidManifest.xml should be included in the rebuilded apk.

Is your feature request related to a problem? Please describe.
Being able to look at and modify an app's Smali code is often enough to get a general understanding of its internals and make small changes, but sometimes it can be helpful to set a few breakpoints and inspect behavior at runtime. This is already possible with the smalidea plugin for IntelliJ IDEA, but the process is kind of tedious. It requires you to:

• (Obviously) Install the plugin
  • Realize that it doesn't work in Android Studio for some reason
  • Waste a lot of time wondering why you can't set any breakpoints inside Smali files
  • Finally figure that you need to change the file type for *.smali from "Smali" to "smali files" in the settings
• Open the "Android Device Monitor" application buried within the Android SDK folder
  • Switch to Java 8 because it doesn't work with newer Java versions
• See which port is listed next to the app you want to debug
• Create a new debug configuration inside IntelliJ IDEA and enter the port there
• Finally start the debugging session

To be fair, some of the things above only have to be done once, but even without them the process isn't exactly smooth.

Describe the solution you'd like
It would be great if APKLab allowed users to quickly start a Smali debugging session by automatically finding the right debugging port based on the package name (this could be helpful), connecting to it, and launching a VS Code debugging session.

The bulk of this feature should probably live in the Smalise extension (which has its own issue for this), but APKLab could provide a nice "launcher" around it which ensures that you've built the APK with the --debug flag and automatically figures out the port.

Additional context
I created this issue after this discussion in the Telegram group.

hello,
as an exercise I wanted to try checking out the https traffic from this apk: https://apkcombo.com/it-it/wenano/com.tipanano.WeNanoLight/download/apk

I followed all the steps and everything is ok -- I can adb the app onto an android device and start it up.
I'm using Proxyman to intercept https traffic, device is configured properly (trusted cert, proxy settings).

However I still see handshake failures (app uses firebase I guess) and cannot proceed beyond the first screen.

--------------------------------------------
Applying patches for HTTPS inspection (MITM)
--------------------------------------------
Using apk-mitm v0.11.1 (https://github.com/shroudedcode/apk-mitm)

[1/3] Modifying app manifest
[2/3] Replacing network security config
[3/3] Disabling certificate pinning
Scanning Smali files...
okhttp3/CertificatePinner: Applied CertificatePinner#check (OkHttp 3.x) patch
com/squareup/okhttp/CertificatePinner: Applied HostnameVerifier#check (OkHttp 2.5) patch
okhttp3/internal/tls/OkHostnameVerifier: Applied HostnameVerifier#verify (javax) patch
io/grpc/okhttp/internal/OkHostnameVerifier: Applied HostnameVerifier#verify (javax) patch
com/squareup/okhttp/internal/tls/OkHostnameVerifier: Applied HostnameVerifier#verify (javax) patch

Successfully applied MITM patches!

should I ask @shroudedcode about this? thanks for the tool!

Platform: Ubuntu18
When i click the "APKLab: Open an APK", it will still download the apktool.jar and signer.jar although i have already done that. And when download completed, it popups the choose surface so i can choose which apk file to decode , but the decode result is failed. And when i try to decode the apk file by the execute the apk.jar manually, it's ok.

console.log only works during the development of an extension. Use outputChannel for any output to be shown in VS Code.

I cannot upload my apk to playstore because its in debug mode after rebuild. Is there any solution?
Thank you

Repo: https://github.com/rednaga/APKiD

Other refs:

• http://hitcon.org/2016/CMT/slide/day1-r0-e-1.pdf
• https://github.com/enovella/cve-bio-enovella/blob/master/slides/bheu18-enovella-APKID.pdf
• https://rednaga.io/2016/07/31/detecting_pirated_and_malicious_android_apps_with_apkid/
• https://github.com/horsicq/XAPKDetector

For now uber-apk-signer's built in debug certificate is used for APK signing. An improvement could be to give users option to use their own keystore and alias.
Note: .pk8 files are not supported yet, see patrickfav/uber-apk-signer#4