Correctly identify Android APK/DEX files

This bug was originally reported by Hans-Christoph Steiner (hans@eds.org) in Debian bug #884095:

The Janus bug for Android works by making a valid APK file that is also
a valid DEX file.

https://www.guardsquare.com/en/blog/new-android-vulnerability-allows-attackers-modify-apps-without-affecting-their-signatures

Diffoscope sees these files as different file types, so there is no way
to imspect the malware payload. Given this and the issues in file
detection in #849782, there should be a way to force which kind of
comparison that diffoscope does.  Something like --force=apk would solve
both.

There are two example files attached.

Edited Mar 06, 2019 by Chris Lamb

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information