How can I verify the authenticity of an APK file I downloaded?

The latest update of Google Maps is unavailable in my country, so I downloaded a version by googling for "Google Maps 5.4.0 apk". I did in fact find it, but now I wonder how I can tell if this is in fact the same version as in the market. How can I be sure that it hasn't been tampered with? Are apps signed in any way? Is there any way of checking the signatures?

16.3k 10 10 gold badges 75 75 silver badges 126 126 bronze badges asked May 14, 2011 at 13:57 Nathan Fellman Nathan Fellman 5,480 19 19 gold badges 56 56 silver badges 78 78 bronze badges

If you visit, from your mobile, the page: m.google.com/maps , does it offer you a download link or something alike?

Commented May 14, 2011 at 16:23 @Nicolás: It links to the market, from which I can't download it. Commented May 14, 2011 at 16:29 Commented Nov 6, 2017 at 17:59

If you have a second app that is "authentic" and comes from the same vendor, you can compare if both apps are signed using the same keys/identity: Comparing signatures of apks

Commented May 15, 2019 at 18:28

As long as it's an APK and not an AAB. you can compare the app signature. This just proves that the app has been signed by a developer who generated a key/

Commented Jul 6, 2022 at 18:39

6 Answers 6

Sidestepping the debate over the legitimacy of installing that app on your phone, the question of verification is one that I've been meaning to understand for a while, and you've prompted me to try to figure out a possible way of verifying who signed an apk.

Android apps are signed in the normal manner of .jar files (.apk is really just a special .jar which is just a special .zip) however it may not be trivial to trace the authenticity of the certificates unless you have something known good to compare to. That's basically what the phone itself does - verifies that something that claims to be from the same party as something already on the phone actually is - the phone doesn't refuse to install things with unknown signers, it can only (object to/clear application data of) apparent forgeries when something new doesn't match something old that it claims to.

You will need to have jarsigner and keytool. I believe these come from the JDK which is a prerequisite to the android SDK rather than the SDK itself.

First you want try to verify the public key contained within the .apk. Usually this is in META-INF/CERTS.RSA but it can be in another file - unzip -l will tell you. You want to see what you can find out about it:

unzip -p suspect.apk META-INF/CERT.RSA | keytool -printcert 

That's going to dump out a lot of information about who the signer claims to be. Some certificates are apparently themselves signed by known parties, but without figuring out how to trace that, I suspect you could do something like this:

unzip -p suspect.apk META-INF/CERT.RSA | keytool -printcert | grep MD5 unzip -p knowngood.apk META-INF/CERT.RSA | keytool -printcert | grep MD5 

If you have a known trusted apk from the same author who used the same certificate. I'm assuming that the certificates having the same MD5 sum is enough.

Assuming you've decided to trust the certificate, then you can see if it has been used to sign each of the files within the .apk

jarsigner -verbose -verify suspect.apk 

(If there's more than one .RSA file in the archive, you should add the -certs flag to tell you which certificate(s) have been used to sign each file, so you can be sure its the certificate you verified)

answered May 15, 2011 at 2:46 Chris Stratton Chris Stratton 1,699 13 13 silver badges 13 13 bronze badges

@Chris Stratton Is it possible to copy Google Maps apk off a device ? Then one can check the certs as you said.

Commented Sep 19, 2015 at 2:19

Recent Android Apps often do no longer contain a v1 signature that can be verified with jarsigner (only a v2 orand v3 signature). Therefore apksigner from Android SDK should be the preferred way to verify a signature of an APK file.

Commented Oct 26, 2021 at 10:39

Verifying an APK signature

The correct way to verify an APK file is to use apksigner .

apksigner is part of the Android build tools (Andorid SDK), therefore you may find multiple versions installed, one for each build-tools version installed.

One example path within the Android SDK to apksigner is:

android-sdk/build-tools/30.0.1/apksigner 

For more details on how to get apksigner see last chapter of this answer.

Execute apksigner this way:

apksigner verify --verbose --print-certs "Signal-website-universal-release-4.49.13.apk" Verifies Verified using v1 scheme (JAR signing): true Verified using v2 scheme (APK Signature Scheme v2): true Verified using v3 scheme (APK Signature Scheme v3): true Number of signers: 1 Signer #1 certificate DN: CN=Whisper Systems, OU=Research and Development, O=Whisper Systems, L=Pittsburgh, ST=PA, C=US Signer #1 certificate SHA-256 digest: 29f34e5f27f211b424bc5bf9d67162c0eafba2da35af35c16416fc446276ba26 Signer #1 certificate SHA-1 digest: 45989dc9ad8728c2aa9a82fa55503e34a8879374 Signer #1 certificate MD5 digest: d90db364e32fa3a7bda4c290fb65e310 Signer #1 key algorithm: RSA Signer #1 key size (bits): 1024 Signer #1 public key SHA-256 digest: 75336a3cc9edb64202cd77cd4caa6396a9b5fc3c78c58660313c7098ea248a55 Signer #1 public key SHA-1 digest: b46cbed18d6fbbe42045fdb93f5032c943d80266 Signer #1 public key MD5 digest: 0f9c33bbd45db0218c86ac378067538d

Estimate the authenticity of the signer certificate

Now you have verified the APK, but you still don't know if you can trust the person/organization who has signed the APK file. This is because on Android APK signatures use by definition self-signed certificates. If you can trust a certificate is therefore a difficult question. The only way is to check the other apps that have been signed using the same certificate.

The only way I know to do so is to use online PlayStore crawling services like androidobservatory.org. It has an API for checking which apps have been signed by the same certificate using the certificate SHA-1 digest:

Edit: apkmirror.com also allows to search for the certificate digest. Just enter the plain SHA-1 or SHA-256 certificate digest (without colons or spaces) in the search field:

On this page you can see all the other APK files on Google Play Store that are signed with the same certificate.

Getting and executing apksigner

Apksigner is a Java tool and Google provides for start-up a batch file apksigner.bat (Windows) respectively a shell script apksigner.sh (Linux, MacOS).

As mentioned before it is included in each build-tools version of Android SDK. But it is not placed in PATH so you can not simply open a command-prompt or terminal and execute apksigner , instead you have to manually provide the full path to apksigner.bat / apksigner.sh .

If you don't want to install the whole Android SDK (with or without Android Studio) you can directly download build tools and extract and execute apksigner. Links to the all build-tools are provided on this website (the provided links go to the original Google download locations).

I prefer apksigner from build-tools v30:

You only need the file lib/apksigner.jar from the archive. Extract it and open a shell in the folder. Then execute java -jar apksigner.jar . To execute you need Java 9 or higher (best Java 11 or 17).

Using this direct approach the command to execute apksigner is

java -jar apksigner.jar verify --verbose --print-certs "Signal-website-universal-release-4.49.13.apk" 

Or if you use full path names - replace the sections with the appropriate path that works on your OS:

/java -jar /apksigner.jar verify --verbose --print-certs ""