Apkid

The following SDK got improvements, rules and fixes:
- Packers:
- AppSealing
- BlackMod (modder)
- 5Play.ru (modder)
- Aegis - AndroidRepublic (modder)
- KangaPack
- LIAPP
- Protectors:
- DexGuard v9.x (Aarch64)
- DexProtector telemetry (Alice)
- Verimatrix / InsideSecure
- Protectt.ai
- Google Play Integrity protection
- Secucen AppIron
- Ahope AppShield
- AppCamo
- EverSafe
- VGuard
- DxShield
- Obfuscators:
- LSPosed (seen in Momo, Shamiko and so on)
- Android Republic VIP (modder)

Thanks to everyone who contributed! cryptax FrenchYeti dustty0 Yehh22 CalebFenton enovella

The following products got improvements, rules and fixes:
- Packers:
- Multidex inline implementation
- EpicVM (ex-ULTIMA protector)
- Jiagu ELF packer
- DexProtector
- LIAPP
- Protectors:
- DexGuard v9.x (Aarch64)
- DexProtector telemetry (Alice), native (ARM32) and APK files
- FreeRASP
- Obfuscators:
- OLLVM v5, v8, v9 (with and without string encryption)
- ADVObfuscator (in PGSharp)

Additionally,
- Update to Python 3.9
- Update yara-python-dex dependency

Thanks to everyone who contributed! cryptax apkunpacker enovella CalebFenton strazzere Fare9

We've had a good number of rule changes since the last release so we wanted to cut a new version. Thanks to everyone who contributed! We hope you find the tool useful.

Add or improve detections for:

- AliPay
- ApkEncryptor
- APKProtect
- AppGuard
- CrackProof
- DexGuard
- DexProtector
- Hikari
- JsonPacker
- Ollvm
- Promon Shield
- Tencent Legu

For APKiD:

- Use [yara-python-dex](https://github.com/MobSF/yara-python-dex) to greatly simplify installation (yay!)
- Print some errors to stderr

No significant changes were made to rules.

For APKiD itself:
* Fixed bug with `--output-dir- not working with absolute paths within docker container (https://github.com/rednaga/APKiD/issues/171) - thanks iantruslove
* Reduce docker layers and sizes - thanks superpoussin22
* Add `scan_file_obj` API
* Fixed some error handling
* Add `--include-types` option
* Fix rule identifier counting
* Improve rule hash stability
* Improve file type detection for ELFs
* If using `filename` for typing, consider `.jar` files as zips.

For the rules:
* Beefed up DexGuard detection
* Correct dexlib1 detection
* Add AppSuit detection - thanks enovella
* Add SafeEngine detection - thanks horsicq
* Several other fixes and improvements

* Add check for zip entry types before trying to scan them
* Handle duplicate zip entries via `ZipFile.infolist()`
* Make `OutputFormatter.build_json_output` public
* Change default typing behavior to `magic`

The zip entry type check is a minor optimization. The previous behavior was to assume all zip entries should be scanned. Here's a quick benchmark to show that using filename typing (which is faster than magic bytes), you can save a bunch of time. Of course, you'll miss "hidden" files that aren't named with the correct extension. If you use APKiD forensically or with malware, you should either use the default option. If you have some weird custom rules, you might even want to use `--typing none`.

Here's some benchmarking data:


apkid test-data --typing filename 23.96s user 1.49s system 98% cpu 25.844 total
apkid test-data --typing magic 41.05s user 2.37s system 98% cpu 43.922 total
apkid test-data --typing none 41.66s user 2.19s system 98% cpu 44.640 total