Oddbean new post about | logout
 Oh damn I was looking for something like this. 

However I've been making sure im careful to install from the legit source intitally. Isn't that enough? 

I'm using Obtainium, so relying on that initial install to protect me from compromised updatates that haven't been signed with the same sig

#stilllearning

 
 yes, and no. be sure to get your apks directly from the source whenever possible. download and verify the apk file the first time (before install), then install add the app link to obtaniun and use #obtanium to keep them all up to date (android verifies the signatures of updates). you can also retroactively verify already installed apks with #appverifier 
 Perfect. Yeah I wasnt going as far as to verfiy the apk, mostly just being careful about being on the correct github page etc. This will be useful to ensure I'm safe though.

Thanks!!! 
 ofc. most of the time you'd be fine, but apks can be compromised by github/gitlab vunerabilities (like the oauth attacks in 2020 & 2022) or anyone with access to the devs git repos, or malicious devs. it's best practice to always verify. 
 also, the app and database are still growing and most apps don't publish hashes.

here's what the dev had to say...

---

In reply to (redacted):matrix.org
thanks for all the great work on this. some apps have green checkmark, others dont; is there anything us users can do to help get more apps checked?

Yes, please read https://github.com/soupslurpr/AppVerifier/blob/master/CONTRIBUTING.md and if you can, it would be appreciated to contribute directly to the internal verification info database in code so it is easier for me to review and merge as I don't have to write that part myself, only cross-verify.

> <@(redacted):matrix.org> perfect so just to make sure i understand whats goin on... the database includes a signing key hash taken from an app's website or github or whatever to later compare to the file, is that correct?

The app is installed from all the sources it is available on and the verification info is viewed and exported using AppVerifier. Most apps don't publish hashes.

---

until then we can try to verify by checking the apk site or repo for the hash signature for the apps we have and paste that into the appropriate app in appverifier or download different apps from the same developer and compare their hashes.

please note most apps don't publish hashes and the same app on google play, f-droid, and direct from dev apk can have different hash signatures etc 
 You read my mind! 
 i try 😉