Oddbean new post about | logout
Ava | 10 months ago (raw) | root | parent | reply | flag +1 
 ofc. most of the time you'd be fine, but apks can be compromised by github/gitlab vunerabilities (like the oauth attacks in 2020 & 2022) or anyone with access to the devs git repos, or malicious devs. it's best practice to always verify.
Ava | 10 months ago (raw) | root | parent | reply | flag 
 also, the app and database are still growing and most apps don't publish hashes.

here's what the dev had to say...

---

In reply to (redacted):matrix.org
thanks for all the great work on this. some apps have green checkmark, others dont; is there anything us users can do to help get more apps checked?

Yes, please read https://github.com/soupslurpr/AppVerifier/blob/master/CONTRIBUTING.md and if you can, it would be appreciated to contribute directly to the internal verification info database in code so it is easier for me to review and merge as I don't have to write that part myself, only cross-verify.

> <@(redacted):matrix.org> perfect so just to make sure i understand whats goin on... the database includes a signing key hash taken from an app's website or github or whatever to later compare to the file, is that correct?

The app is installed from all the sources it is available on and the verification info is viewed and exported using AppVerifier. Most apps don't publish hashes.

---

until then we can try to verify by checking the apk site or repo for the hash signature for the apps we have and paste that into the appropriate app in appverifier or download different apps from the same developer and compare their hashes.

please note most apps don't publish hashes and the same app on google play, f-droid, and direct from dev apk can have different hash signatures etc
Owen | 10 months ago (raw) | root | parent | reply | flag +1 
 You read my mind!
Ava | 10 months ago (raw) | root | parent | reply | flag 
 i try 😉