Code Monkey home page Code Monkey logo

appverifier's Introduction

AppVerifier

AppVerifier is an app signing certificate hash viewer and verifier.
It enables you to easily verify that your apps are genuine with others!

AppVerifier takes the app's package name and signing certificates hash(es) and compares them to the ones you provided or the ones in the internal database to verify that your apps are genuine.
You can simply share the verification info to others and receive verification info from them and share the received verification info to AppVerifier and you will see the verification status.
AppVerifier does the heavy lifting for you ๐Ÿ’ช

Download

AppVerifier is available on the Accrescent app store and GitHub releases. Accrescent is the recommended way to get AppVerifier as it is more secure than GitHub releases.
Click on the badge below to get it on Accrescent.

Get it on Accrescent

The package name and SHA-256 hash of the signing certificate is below, so you can verify AppVerifier with apksigner using apksigner verify --print-certs AppVerifier-X.Y.Z.apk if you are downloading the APK. If you are downloading from Accrescent then you should verify Accrescent itself here.

DO NOT use AppVerifier to verify itself!
Also DO NOT use AppVerifier to verify Accrescent if you downloaded AppVerifier from it.

dev.soupslurpr.appverifier
3A:04:A8:0B:2A:88:33:4C:74:74:85:F0:B2:15:16:40:A3:8B:B3:D2:D7:3A:8E:AB:81:DF:50:3E:0F:02:02:B2

It can also be found on a Bluesky post to distrust the website. It is encouraged to verify it's the same with other people as well for assurance.

Community

Join the Matrix space at https://matrix.to/#/#appverifier-space:matrix.org for the Discussion, Announcements, and Beta Testing rooms.

Contributing

Check CONTRIBUTING.md for things to know if you want to contribute.

Donation

A fan of AppVerifier? You can donate to soupslurpr, the lead developer of AppVerifier to support their work on AppVerifier and their other open source projects. Thank you!

Monero address:
88rAaNowhaC8JG8NJDpcdRWr1gGVmtFPnHWPS9xXvqY44G4XKVi5hZMax2FQ6B8KAcMpzkeJAhNek8qMHZjjwvkEKuiyBKF

The Monero address can also be found in the app's settings.

Branding

You may not use the name "AppVerifier", a name that includes "AppVerifier", and the app icon in a derivative work that has published builds.
This is to prevent confusion of which is the official AppVerifier.

appverifier's People

Contributors

atilluf avatar felschr avatar life00 avatar matchboxbananasynergy avatar penknife0915 avatar sawft99 avatar soupslurpr avatar taivlam avatar

Stargazers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar avatar avatar avatar

Forkers

vaginessa life00 atilluf matchboxbananasynergy sawft99 rockystevejobs penknife0915 taivlam greensheeps felschr rufusprice bhydden jasonc761 ldeso

appverifier's Issues

Proton Calendar

Package name

me.proton.android.calendar

Hash(es)

DC:C9:43:9E:C1:A6:C6:A8:D0:20:3F:34:23:EE:42:BC:C8:B9:70:62:8E:53:CB:73:A0:39:3F:39:8D:D5:B8:53

Ability to export all app ID's and signature hashes

I suggest to implement a feature allowing to easily export all app ID's and corresponding signature hashes in some reasonable format. Would be very useful when compiling a list of app ID's + hashes.

Especially useful if #5 is implemented: makes the contributions to the database extremely easy. I would recommend making an option to export in the same format as the database format.

Proton Drive

Package name

me.proton.android.drive

Hash(es)

DC:C9:43:9E:C1:A6:C6:A8:D0:20:3F:34:23:EE:42:BC:C8:B9:70:62:8E:53:CB:73:A0:39:3F:39:8D:D5:B8:53

WG Tunnel

Package name

com.zaneschepke.wireguardautotunnel

Hash(es)

F-droid
69:49:37:7F:86:39:D0:3E:90:AF:27:94:26:40:97:34:31:99:8F:CF:34:1E:0B:BE:87:0F:76:40:C8:7F:24:4D

Github
52:04:D8:2E:76:6E:8A:A1:4D:CB:B0:6D:C7:0A:EB:AE:2B:DD:81:2D:4D:62:03:CD:52:1A:8A:68:5D:7D:3D:80

Source code link (Optional)

https://github.com/zaneschepke/wgtunnel

FairEmail

Package name

eu.faircode.email

Hash(es)

E0:20:67:24:9F:5A:35:0E:0E:C7:03:FE:9D:F4:DD:68:2E:02:91:A0:9F:0C:2E:04:10:50:BB:E7:C0:64:F5:C9

Proton Mail

Package name

ch.protonmail.android

Hash(es)

DC:C9:43:9E:C1:A6:C6:A8:D0:20:3F:34:23:EE:42:BC:C8:B9:70:62:8E:53:CB:73:A0:39:3F:39:8D:D5:B8:53

Tuta

Package name

de.tutao.tutanota

Hash(es)

Google Play Store/GitHub
B4:54:C1:76:F9:0A:1E:A0:57:29:87:D3:82:72:3B:5C:D7:4F:94:2A:79:37:A2:A0:B9:9A:36:80:69:14:88:50
F-Droid
FC:19:32:E0:84:64:AE:FC:AE:82:59:7D:C0:FC:9D:04:C0:8B:24:AA:09:D1:F9:50:DF:20:EA:81:23:4F:30:CB

Locus

Package name

app.myzel394.locus

Hash(es)

85:E4:B5:DB:23:82:B2:B0:AC:F0:C2:C6:B2:F6:71:D6:DF:57:DA:42:86:BD:56:CB:D0:4F:8C:5B:29:62:65:54

Source code link (Optional)

https://github.com/Myzel394/locus

SHA-256 hashes in AppVerifier database vs 40 character SHA-1 GPG public key hashes

Pardon the potentially ignorant question(s), but it seems relatively easy to find the 40 character SHA-1 GPG public key of developer's signing keys, for example, Mullvad's signing key: A1198702FC3E0A09A9AE5B75D5A1D4F266DE8DDF found here: https://mullvad.net/en/help/verifying-signatures and many other places such as twitter (https://twitter.com/mullvadnet/status/794122723781918720). Where do the SHA-256 hashes come from that can be found in AppVerifier's internal database? I see three different hashes for Mullvad; one for the website/github APK, one for the google Play Store APK, and one for the F-Droid APK. When I try searching for these 64 digit SHA-256 hashes, I can't any other references to them, which makes them harder to verify. When Mullvad releases a signature with each release, they are signing it with their A1198702FC3E0A09A9AE5B75D5A1D4F266DE8DDF signing key. Presumably this isn't the same key that is signing the APK certificates, and there are three different keys being used for the different app stores. My questions are:

  1. What are the benefits of making a database of the SHA-256 hashes of public keys that sign the APK certificates vs comparing to the SHA-1 GPG public key of valid APK signatures made available from the developer?
  2. Any recommendations for how to find these 64 digits SHA-256 public keys if they're not already in the AppVerifier database? I suppose download the APK file on desktop, verify the GPG signature of the signed APK, then use apksigner to view the certificate. Seems much more involved than searching other public locations.
  3. The above likely contains inaccurate assumptions. I appreciate any corrections.

I went looking for an open source way to verify signatures of APK files on mobile, and this seems to be designed to do that. Just curious as to the reasons behind this methodology vs what I'm more familiar with.

Appreciate it!

KeePassDX (libre)

Package name

com.kunzisoft.keepass.libre

Hash(es)

GitHub
7D:55:B8:AF:21:03:81:AA:BF:96:0F:07:E1:7C:F7:85:7B:6D:2A:64:2C:A2:DA:6B:F0:BD:F1:B2:00:36:2F:04
F-Droid
C8:10:AA:B7:EF:A4:D5:AD:3F:C2:94:1F:DF:5F:99:B8:8A:3B:73:F8:62:19:71:56:27:ED:B4:DA:BA:C5:41:A4

Bitwarden

Package name

com.x8bit.bitwarden

Hash(es)

F-Droid
DE:6E:C9:14:31:55:79:95:29:7B:F3:E6:5B:C8:03:49:BC:60:3A:04:70:81:60:61:8C:86:BC:99:94:17:1C:90
Play Store
24:E0:6C:04:C2:08:04:8F:19:F1:C9:93:B4:DD:A4:43:0E:A8:B0:6D:B8:37:5E:A0:E3:7B:83:46:96:B9:AC:3A

Seal

Package name

com.junkfood.seal

Hash(es)

44:93:58:2A:41:48:DF:38:FC:26:90:73:C8:78:7C:31:C4:31:ED:5B:6D:62:71:08:92:A0:40:6F:F5:0C:4D:67

Source code link (Optional)

https://github.com/JunkFood02/Seal

Markup

Package name

com.google.android.markup

Hash(es)

BA:83:57:40:B0:89:8D:BB:0F:FD:CB:00:F5:3F:9C:90:D3:19:4B:64:C3:9A:55:88:47:8F:9A:1A:AD:79:14:4F

Cromite

Package name

org.cromite.cromite

Hash(es)

63:3F:A4:1D:82:11:D6:D0:91:6A:81:9B:89:66:8C:6D:E9:2E:64:23:2D:A6:7F:9D:16:FD:81:C3:B7:E9:23:FF

Source code link (Optional)

https://github.com/uazo/cromite

Obtainium

Package name

dev.imranr.obtainium

Hash(es)

B3:53:60:1F:6A:1D:5F:D6:60:3A:E2:F5:0B:E8:0C:F3:01:36:7B:86:B6:AB:8B:1F:66:24:3D:A9:6C:D5:73:62

Clipious

Package name

com.github.lamarios.clipious

Hash(es)

19:DE:04:E5:D6:84:66:06:9D:30:EC:63:C6:BA:7D:9E:3C:F7:3B:5D:61:CB:4B:37:62:C2:B9:B2:53:EC:BD:03

App uses reproducible builds on F-Droid so has same signing key

Proton VPN

Package name

ch.protonvpn.android

Hash(es)

Official/Play Store
DC:C9:43:9E:C1:A6:C6:A8:D0:20:3F:34:23:EE:42:BC:C8:B9:70:62:8E:53:CB:73:A0:39:3F:39:8D:D5:B8:53
F-Droid
95:0E:E2:D4:D0:A4:3F:FB:A7:EE:1D:A9:54:1C:4A:13:DE:FE:81:EB:69:7B:A7:D2:4C:17:F6:F8:86:E3:21:24

Supply APK file for verification

The way AppVerifier currently works, an app has to first be installed before the app can find it and verify it.

Ideally, AppVerifier should be able to accept an APK file and allow the user to verify it before needing to install it.

Move the hashes of internal database to GitHub

It seems more practical to avoid storing the hashes statically in the app and instead outsource them to a file on GitHub. This file could be synchronized at regular intervals. This approach allows for the hashes to be updated without the need to release a new app update each time.

Android Auto

Package name

com.google.android.projection.gearhead

Hash(es)

Play Store
FD:B0:0C:43:DB:DE:8B:51:CB:31:2A:A8:1D:3B:5F:A1:77:13:AD:B9:4B:28:F5:98:D7:7F:8E:B8:9D:AC:EE:DF
1C:A8:DC:C0:BE:D3:CB:D8:72:D2:CB:79:12:00:C0:29:2C:A9:97:57:68:A8:2D:67:6B:8B:42:4F:B6:5B:52:95

Source code link (Optional)

Auxio

Package name

org.oxycblt.auxio

Hash(es)

GitHub
DA:84:E2:53:4C:1A:CC:0B:6E:4F:57:DE:DB:64:0D:4D:C8:93:F5:BF:41:37:A2:E1:EC:BA:87:AD:F8:25:BA:44
F-Droid
65:B3:E6:2A:2B:57:BF:73:23:5B:E6:D2:D4:2A:E5:46:FC:B0:2F:D1:7F:62:CD:14:50:0D:1C:41:2A:28:59:72

Google Maps

Package name

com.google.android.apps.maps

Hash(es)

F0:FD:6C:5B:41:0F:25:CB:25:C3:B5:33:46:C8:97:2F:AE:30:F8:EE:74:11:DF:91:04:80:AD:6B:2D:60:DB:83

Scroll up (at top of the list) reloads the list of apps and their status

I would like to make a feature request to implement an intuitive way of refreshing the list of apps and their status. When the top of the list is reached if the user scrolls up more it will refresh the list.

Similar behavior may be found in Android Chromium based browsers, LibreTube, Feeder, Obtainium just to name a few.

Proton Pass

Package name

proton.android.pass

Hash(es)

DC:C9:43:9E:C1:A6:C6:A8:D0:20:3F:34:23:EE:42:BC:C8:B9:70:62:8E:53:CB:73:A0:39:3F:39:8D:D5:B8:53

YouTube

Package name

com.google.android.youtube

Hash(es)

3D:7A:12:23:01:9A:A3:9D:9E:A0:E3:43:6A:B7:C0:89:6B:FB:4F:B6:79:F4:DE:5F:E7:C2:3F:32:6C:8F:99:4A

LocalSend

Package name

org.localsend.localsend_app

Hash(es)

Google Play Store
BB:3E:E2:82:39:B1:41:8A:F1:6D:DC:64:7D:5A:94:8A:57:3C:2D:13:6D:2B:74:BC:E4:7E:9D:8E:23:35:30:4E
F-Droid/GitHub
32:20:C3:53:A7:3C:FB:D0:C2:F3:05:24:71:C4:45:32:4C:F4:52:BC:BA:26:DE:1C:47:3A:52:FE:5C:44:E1:D6

Overload

Package name

cloud.pablos.overload

Hash(es)

4D:1D:43:17:A6:F5:7B:95:89:90:D2:39:1D:07:52:4E:D1:D5:4D:D3:4C:35:01:A1:B4:02:13:36:66:AE:A3:B3

Button to make an issue to add an app's verification info to the AppVerifier database

After #5, there can be a button that opens a multi step dialog that guides you through to first clicking the link that opens the issue tracker and searches the package name to see if there is an existing issue for it (e.g. https://github.com/soupslurpr/AppVerifier/issues?q=is%3Aissue+[DATABASE+INCLUSION]+dev.soupslurpr.beautyxt) to prevent spam.

If there isn't an existing issue then make an issue to include that app in the database by creating a link with the title and body of the issue content (e.g. https://github.com/soupslurpr/AppVerifier/issues/new?title=[DATABASE+INCLUSION]+dev.soupslurpr.beautyxt&body=haven't+decided+yet+what+format+to+put+the+verification+info+here).

KeePassDX

Package name

com.kunzisoft.keepass.free

Hash(es)

Google Play Store
46:D5:15:D5:F4:15:72:42:0C:EF:30:C0:7B:52:6B:F2:C4:0F:C4:A1:13:EF:19:1F:4F:9D:F9:01:2E:09:1F:35
GitHub
7D:55:B8:AF:21:03:81:AA:BF:96:0F:07:E1:7C:F7:85:7B:6D:2A:64:2C:A2:DA:6B:F0:BD:F1:B2:00:36:2F:04

Aegis

Package name

com.beemdevelopment.aegis

Hash(es)

Official/Play Store
C6:DB:80:A8:E1:4E:52:30:C1:DE:84:15:EF:82:0D:13:DC:90:1D:8F:E3:3C:F3:AC:B5:7B:68:62:D8:58:A8:23
F-Droid
09:CF:DE:62:E2:A8:1C:80:50:D3:BE:4C:20:E3:F8:D8:DD:D0:15:31:BE:1B:47:CB:3B:0E:EC:21:3F:64:1F:89

parseVerificationInfoTextToVerificationStatus doesn't respect hasMultipleSigners

In

AppVerifier/app/src/main/kotlin/dev/soupslurpr/appverifier/ui/VerifyAppViewModel.kt

Line 82 in 05ec24a

if (

Its checked if the first line matches any of the entries regardless of the value of hasMultipleSigners. It should check that hasMultipleSigners is false before doing so.
This can be a potential security issue as only one hash would need to match if a package name isn't provided, while if hasMultipleSigners is true it should match all the provided hashes.

AppVerifier missing in AppVerifier

The app is missing its own app ๐Ÿ˜…
So how can I trust that this app is the original one? It would be nice if you can list AppVerifier to the apps page.
To make sure that nobody has edited the hash of this app, the hash of AppVerifier should also be stored in Git in the description. This ensures that the installed AppVerifier is the official one.

Wireguard

Package name

com.wireguard.android

Hash(es)

IzzyOnDroid
84:A1:3F:A2:C4:E0:06:4B:0C:11:65:4B:8A:86:57:4B:7A:9B:93:52:A3:83:4C:EE:32:45:5B:06:1C:3D:41:27

Source code link (Optional)

Add search functionality

I have a lot of apps and it is kinda difficult to find the app I am interested in right away. I suggest to add some kind of search functionality for app names or package names.

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.