1. Are you ready for the Galaxy S20? Here is everything we know so far!

How to identify origin APK files from Google?

Discussion in 'Android Lounge' started by Kurt Pattinson, Nov 29, 2019.

  1. Kurt Pattinson

    Thread Starter

    The fact that we download APK files from many sources but have no idea in telling whether it's origin or not, was pretty risky. Some problems related could mention like security or unnecessary app installation.
    Is there anyway to help us in this issue???
     


  2. Best Answer:
    Post #2 by svim, Nov 29, 2019 (1 points)
  3. svim

    svim Extreme Android User

    Install apps only from Google's Play Store to be sure they've gone through Google's review process. If there's an app that its developer has opted to provide outside of Google's purview (i.e. Fortnight) or you live in a country that doesn't allow Goggle to provide its services locally, you then need to be wary of every apk you obtain so be sure to research the source of any download. There are several sources like https://www.apkmirror.com that get the apk files they provide directly from the Play Store, plus there are very popular, user-verified sites like https://f-droid.org or https://fossdroid.com that provide only Open Source projects where there are also a lot of apps available that their respective developers intentionally choose to avoid the oversight of Google and its Play Store.
     
    ocnbrze and MoodyBlues like this.
  4. Kurt Pattinson

    Thread Starter

    yeah but how can you tell APK file is original or not?? that was the point
     
    willstanford likes this.
  5. ocnbrze

    ocnbrze DON'T PANIC!!!!!!!!!

    you can't tell....that is the thing. a file is just a file. there is no origins within any file to tell where it came from. it does not matter what kind of file it is. you can only trust the site that is offering such files.

    this is why i rarely deal with apk files. i trust google and their play store way more then i trust these apk sites.
     
  6. Kurt Pattinson

    Thread Starter

    I had checked and asked some others about this problem, actually, they said we can tell it by using security software or test device, some pros may tell by analysing the code but it gets pretty hard for normal to do that.
    At least i had listened to other saying that.
     
  7. Kurt Pattinson

    Thread Starter

    actually i dont know how to express correctly but an origin file is file that was contained in Google Play Store and some may try to disturb it by adding some code lines or anything for example to drive you into an advertisement.
    Besides, the changes in file may lead to some additional riskes like security,..
     
  8. Hadron

    Hadron Smoke me a kipper...
    VIP Member

    No, I talked about using test devices as a way of checking for malware, or security software to scan for known malware signatures. That isn't the same as verifying the origin of the apk. And you don't get source code from the Play Store, though for FOSS apps it is available from the developers. I did say that if you know the checksum of the original apk it's easy to test that it's identical, but you are unlikely to have that.

    You could try checking the apk's digital signature (again, if you know how or are prepared to make the effort to find out). This is something that a couple of app download sites say they do, though if you are not prepared to take their word on this you'll have to do it yourself to be sure.
     
    Daniel Fernandes likes this.
  9. Daniel Fernandes

    Daniel Fernandes Android Enthusiast

    There's a FOSS app called Aurora Store that seems to be an actual Google Play Store client (like, it displays data directly from Google). So if you do have geo-restrictions or other reasons to not use Google's own Play Store app, you can use this as an alternative.

    Also when developers build their app, they need to have it 'signed'. If an app was manipulated by someone else, it will certainly have a different signature. Each time Android updates an app, it checks the previous version's signature with the new version's signature, and if they don't match, the app doesn't get updated. However, this only protects you from updating to a manipulated version. It won't help if you're installing it for the first time.
     
    Hadron likes this.
  10. svim

    svim Extreme Android User

    Well that's more of a simple question to a complex issue. There's little you can do to verify any APK you install is definitively the exact same duplicate file the original developer(s) created, unless you do something like use their source code (easier if the APK is Open Sourced, a daunting task if not) to make your own APK and then do a one-to-one comparison between your APK and the target APK.
    https://en.wikipedia.org/wiki/Android_application_package
    Basically,it would be more prudent to just focus all your attention on where you obtain your APK files from, verifying every app you install/upgrade isn't just something that requires one to build up their development skills but will also involve a lot of time and effort each time.
     
Loading...

Share This Page

Loading...