🎥 Video Link

Transcript

Please excuse any grammatical errors. I used a tool to generate the transcript and haven’t had a chance to read through it yet.

So the app we’re going to be talking about today is called App Verifier. It’s useful if you download APKs without an app store and install them on your device, or if you use something like Obtainium to obtain apps directly from repositories or different sources. App Verifier adds one more layer of verification to the APKs that you download.

This is the official repository for App Verifier. If we check the description here, we can see that App Verifier takes the app’s package name and the signing certificate’s hashes and compares them to the ones you provided or the ones in the internal database to verify that your apps are genuine.

While that description might be a little confusing, let’s walk through a demonstration of how to use it. The first step in order to use it is to install it. We can see here on the GitHub repository that the recommended way to download it is to get it on Apt if you’re on Graphene OS. If you don’t have Apt installed yet, you can swipe up, go to the app store, and install Apt from there.

Once you do install Apt, open the app, scroll down to App Verifier, and install it. Now, once that’s installed, we can go into the app. The first thing you’ll see is the privacy policy; give it a read over and then accept it. It basically states that there’s no warranty and that it’s provided as is.

On the main screen, the first thing we have is an app list. This shows all the current apps you have installed under your user profile. In my case, I have Obtainium and Apt installed. We can see here that there are two green check marks next to the app. If you select the app, we can see that the Apt hash was verified using the internal database. You can select “Success” if you want to see details on how it was matched. This is a great way to verify the apps you currently have installed on your device.

The next option is to verify an APK file. If you have some APKs you downloaded, you can manually verify them there. The last option is settings, so feel free to give those a read over if you want.

The main way I think most people will use App Verifier is in conjunction with Obtainium. For this example, I’m going to install LocalSend. I’ll paste the repository here and select the APK. Once it’s ready, I’ll select install. It’s automatically shared with App Verifier, which is convenient.

We can see here that LocalSend was verified using the internal database. Success! You can then swipe back and go ahead and install your app as you normally would.

Another way you can use App Verifier is to manually verify APKs. For example, let’s say you want to download the Signal APK. I’ll download it from their site. Once it’s downloaded, we can go into the App Verifier app, select “Verify APK,” and find our download. When we select it again, you can see it was successfully verified using the internal database.

One more feature I want to show you is down here: you can verify from clipboard. In the case of Signal, they publish the hash for the APK on their site, which we can see here. We’ll just copy it, and if we go back to App Verifier and select “Verify from Clipboard,” paste it in there. We can see the verification status as success.

The reason that verifying from clipboard is useful is that not all apps are inside the internal database. For another example, let’s download the Standard Notes APK from their repository. Once that finishes, we’ll go to App Verifier, select “Verify APK,” and choose the new APK we downloaded. We can see that the internal database status is not found.

This highlights the crux of App Verifier: if the certificate hash for an app is not in the internal database, then you need to go around and find it. Unfortunately, most developers don’t publish it anywhere, so you really do need to look for it and hope you can find it.

In the best-case scenario, using App Verifier as an example, we can see here in the README that the developer does post the certificate hash. Additionally, they also post it in a third-party location, which is great. We can see that it can be found in a Blue Sky post. If we open that, we have the matching certificate hash.

The reason having it in a third-party location is beneficial is that, let’s say someone compromises the GitHub account for this app and uploads a new APK; they would also need to update the certificate hash. If they upload a malicious one, anyone trying to verify it would use the incorrect hash. Posting it in a third-party location means that two different accounts need to be compromised, which is much less likely than just compromising one account.

Getting back to the main reason for discussing this: unfortunately, there’s not much more you can do. You could ask the developer to publish it on the repository or on one of their social media accounts for verification. Another option is to download it from a trusted source. For example, I could download Standard Notes from Google Play in a separate user profile, install App Verifier, check the certificate hash here, and then compare it on my other user profile with the app downloaded from GitHub.

Honestly, that’s a lot to do. Personally, I don’t do that; I just trust the APK I download from GitHub. It’s not the best practice, but it’s not perfect.

If we check the contribution guide, we see that contributions of new apps to the internal verification info database won’t be accepted at this time. Hopefully, that changes in the future, and maybe the developer builds some system for submissions or some way to verify better. But until then, if it’s not found in the internal database, you just need to hope the developer of App Verifier adds it.

With all that being said, I still think this is a great app and it has a lot of potential. So check it out and see if it fits into your workflow. If you have any other questions or comments, feel free to leave those down below, and I will see you next time.