Oddbean new post about | logout
 AppVerifier was based on a planned GrapheneOS feature for users to verify APK files based on their key fingerprint. The feature is currently stalled since relying on the clipboard isn't ideal. For now, users can use AppVerifier from Accrescent until we ship a built-in approach to this. 
 Would this be mainly to verify apks on first download? Am I correct in believing that updates are already automatically verified? 
 Yes, but it can also verify currently installed apps too.

Installing an app from an APK file is trust on first use. All apps are signed by a certificate from the app developer which the OS trusts. Apps can only update if it is both a newer version, and it is signed by the same certificate it came with.
 
Updates are verified by only allowing updates from that same developer's certificate. If it doesn't match, it will fail. This prevents installing a fake or malicious update.

AppVerifier checks the apps you installed are have the genuine certificate and package name from the developer. It can compare to keys you provide or it can check from an internal database of apps in the app if there is an entry for it.

DB can be found here: https://github.com/soupslurpr/AppVerifier/blob/master/app/src/main/kotlin/dev/soupslurpr/appverifier/InternalVerificationInfoDatabase.kt 
 Thank you this great reply! I very much appreciate GrapheneOS and all you do 🙏