Hacker News new | ask | show | jobs
by opencl 2793 days ago
It is very easy to verify these apps have not been modified if you also have access to a known good copy of the same app. Install known good copy -> install suspect APK as upgrade -> signature check performed on upgrade verifies that it was signed with the same key as the old version, so if the upgrade succeeds there has been no modification.
2 comments
kop316 2793 days ago
Actually Google is adding a way to verify it came from them:

https://android-developers.googleblog.com/2018/06/google-pla...

They specifically cite being able to do this peer to peer.

link
ihuman 2793 days ago
How do you get access to a known good copy of the app?
link
liotier 2793 days ago
Especially since the normal use of an APK intermediary is that one does not have access to a known good source such as Google Play
link