32

Some free applications on Google Play are limited to the United States so the rest of the world has to use dodgy sites to get them. However the security of such sites are questionable as the apps might be modified and contain some kind of malware.
Is there a way to get the SHA or MD5 hash of the apk file from the play store so it can be compared with the downloaded one to make sure that it's safe?

mike
  • 331
  • 1
  • 3
  • 3
  • 2
    Related: How can I verify the authenticity of an apk file I downloaded? – eldarerathis Nov 08 '12 at 17:07
  • I don't think there md5/sha5 sum would be a good idea. However all apk's are signed by the developer so if you have another app from the same author compare the signatures and check the .apk sig itself. EDIT: see eldarerathis' link above – ce4 Nov 08 '12 at 17:11
  • the other app from developer is limited to so we can't download and compare – mike Nov 08 '12 at 18:10
  • sha-3 sum is a very good idea because you can't clone it faster than 1000 years and you can simple compare hash of what you downloaded with what google play say on app page. it can't be easier and safer. – mike Nov 08 '12 at 18:16
  • "you can't clone it faster than 1000 years" What're you talking about? –  Nov 08 '12 at 18:35
  • @Richard Borcsik i talking about http://en.wikipedia.org/wiki/Sha3 – mike Nov 08 '12 at 19:29
  • 1
    I know what SHA3 is. I was asking about the figure of "1000 years". I'm not talking about cloning (what is that anyway?) but making another apk that has the same checksum as the original. It certainly doesn't require 1000 years given adequate processing power. –  Nov 08 '12 at 19:41
  • that is why sha3 created to prevent clone hash sum. the signature is signing the hash. its all about hash and its secure if you use a good hash function like sha3. by the way why you so much supporting torrent ? why you don't let google put hash on google play pages ? are you a malware developer ?? :D – mike Nov 09 '12 at 06:32
  • ... am reading this drivel in the comments which are beyond comprehension... and who says free apps are limited to USA, my guess the OP is living outside of the USA... – t0mm13b Jan 07 '13 at 21:36
  • Online MD5 is an online resource to compute a checksum. You could also try downloading MD5 Checker on your phone. I feel like finding somewhere that is actually going to publish the valid checksum is possibly harder. – Krabby127 Mar 06 '16 at 20:33
  • I think the word you are looking for is identical rather than safe. Safety is an illusion – Elder Geek Aug 30 '16 at 20:24

3 Answers3

2

The Guardian Project's free and open-source app Checkey does much of what you're looking to do.
via F-Droid:
"Checkey is a utility for getting information about the APKs that are installed on your device. Starting with a list of all of the apps that you have installed on your device, it will show you the APK signature with a single touch, and provides links to virustotal.com and androidobservatory.org to easily access the profiles of that APK. It will also let you export the signing certificate and generate ApkSignaturePin pin files for use with the TrustedIntents library."

Community
  • 1
andDevW
  • 616
  • 5
  • 13
0

The only way is if you first download it then find its MD5 or SHA1 hash.

Or, use the site http://apps.evozi.com/apk-downloader/ but you have to use the full qualified name of the app.

Matthew Read
  • 50,567
  • 30
  • 145
  • 273
kdm6389
  • 29
  • 1
  • The website seems to be legitimate, make sure to disclose any affiliation with the site. – Aaron Gillion Mar 14 '16 at 14:44
  • 4
    This doesn't make any sense to me. If I can already download the app from Play Store then the question would not exist at first place. Why would I bother with a checksum since the problem wouldn't exist anymore. And using checksum of an apk downloaded from a third-party site as a base checksum to compare with makes the whole point of verification, moot. – Firelord Mar 14 '16 at 17:22
  • Looks like a useful site, but agreed with Firelord that it is virtually worthless as a method of file verification. – Matthew Read Mar 14 '16 at 21:42
  • Thank you, your answer answers the root problem, how to circumvent country restrictions on the play store. – MaikoID Apr 05 '22 at 14:00
0

No it isn't. It would be also possible to make the modified package have the same md5 as the original, so this wouldn't be too secure.
One solution is to remove your SIM card and use a VPN app like TunnelBear VPN to circumvent regional restrictions or an alternative market like Amazon App Store or GetJar.

  • no dear VPN won't work with new google store. and MD5 was example. SHA-512 or SHA-3 is completely secure with today computing power ... its sad google don't do that. i think just this can prevent millions of cell phones and tablet don't get infected with trojan horses – mike Nov 08 '12 at 16:11
  • Why do you say that VPN doesn't work? I'm using it, and it works. Google is a corporation not a non-profit. It has a financial interest in users downloading apps from the Play Store. So Google doesn't gain anything from adding hashes. Use a VPN like I said above. It works. (Also most people don't know what checksums or hashes are. ) –  Nov 08 '12 at 16:29
  • for paid maybe but for free apps VPN won't work. google store check your sim card number and understand your real country ... – mike Nov 08 '12 at 16:37
  • 1
    @mike Your operators code to be exact. So how do you circumvent that? There are several market enabler apps, or just take out the sim card. –  Nov 08 '12 at 16:57
  • i think you are in USA or UK. well outside there its not easy as you think. it not working, somehow it understand and not allow to download. i tried anything. the only way is to root phone and try market unlocker which is not safe. its a shame google don't do that as its very simple. millions of people have no way to understand apps which download from torrent are safe or not – mike Nov 08 '12 at 18:06
  • I live in Hungary. I've been doing one variation or another of what I described for more than two years. It's working for me and all people I know. Why do you say that market unlocker is not safe? You're right that it's simple, but it wouldn't benefit Google. What app are you trying to download? Also you're exaggerating. Far less than millions of people are using torrents for downloading apps. Far less. –  Nov 08 '12 at 18:32
  • bro if it was like that why should people download apps from third party sites which already exist on google play for free ... ? all the people are idiot ? – mike Nov 08 '12 at 19:31
  • 1
    "all the people are idiot" Yes. Among other things, more people are technologically illiterate than literate. http://android.stackexchange.com/questions/12538/how-can-i-circumvent-regional-restrictions-in-the-android-market There're also people who don't have internet on their phone, don't have a Google account, don't have Play Store. –  Nov 08 '12 at 19:38
  • Wouldnt it be "safe" if you are using both md5 AND sha? , is it possible that you can forge a checksum of both in the same file? – arana May 30 '16 at 23:27