GHSA-763j-3p5v-jfc6: androidqf: APK download Path Traversal in device APK paths

During device acquisition, getPathToLocalCopy() constructs local filesystem paths for downloaded APKs using a filename component extracted by extractFileName(). The extraction splits on ==/ and takes the remainder without sanitization. If a compromised device returns a crafted APK path containing traversal sequences, filepath.Join resolves them, allowing the file to be written outside the intended apks/ directory.

Practical exploitability is limited because Android enforces strict package path formats under /data/app/ and does not allow apps to register paths containing traversal sequences. Rated Informational as a defense-in-depth concern.