This posting is reveal how I can get a flag on this challenge.

First of all, I appreciated to author. Because it induced me to try to solve problems with various methodologies. I think the author has many purposes on this challenge.

If you have an emulator or physical device, you can execute the APK file with ADB(Android Debug Bridge). But, sometimes we need to consider the APK’s API version. In other words, if your test device version is low, the application will be not executed. However, the challenge Mobile App L01’s concept was different from normal android application. Can you guess what I mean? Look at the photo below.

You can see one alert message. “INSTALL_FAILED_INVALID_APK”. OH! why cannot inject the APK file? Actually, I’ve never experienced about this issue. According to the stackoverflow, one guy mentioned “It is about the file contents issue” something like that.

I decided a follow his advice. And, to decompress a file with a Bandizip. As you know, the APK file is a type of compression. Therefore, we can view some contents via a decompression. After decompress, you will be shown some files related to the android application.

When I try to solve this challenge, my brain was already quite exhausted. So, I discovered some file names were weird late.

resource.arsc
class.dex
AndroidManlfests.xml 

The real file name is resources.arsc, classes.dex, and AndroidManifest.xml

Can you guess my file will be worked? Unfortunately, the file is still not worked yet.

Even if I was already changed file names, the error message is same. It means that I do not fixed all yet.

Actually, the file name is not related to integrity if the file is separate. But, if file name was changed on the zip file, the integrity will be broken. You can see the PoC below.