Apk // Tony Metzidis

Validating side-loaded APKs

I was desperate to try Hangouts 4.0 for Android, but suspicious of side-loading. I wanted to verify the APK signature cert had Google’s fingerprint of

38:91:8A:45:3D:07:19:93:54:F8:B1:9A:F0:5E:C6:56:2C:ED:57:88

Here’s how to check the signatures on an APK, as usual, in shell functions (JDK needed)

apk-check () {
	jarsigner -verify -verbose -certs $1
}

apk-print-cert () {
	keytool -list -printcert -jarfile $1
}

# usage
# make sure it's verified
$ apk-check *apk|grep verified
  s = signature was verified
jar verified.
# show cert identifier
$ apk-check *apk|grep X.509|head -n2
      X.509, CN=Android, OU=Android, O=Google Inc., L=Mountain View, ST=California, C=US
      X.509, CN=Android, OU=Android, O=Google Inc., L=Mountain View, ST=California, C=US
$ apk-print-cert *apk|grep SHA1  
	 SHA1: 38:91:8A:45:3D:07:19:93:54:F8:B1:9A:F0:5E:C6:56:2C:ED:57:88

Aug 13, 2015

1 min read

Android Apk Debug