Verifying an Android app's authenticity

When distributed outside the Google Play store

Usage

Please use this guide only if you're managing the distribution of your app on your own. This doesn't apply to apps that are published directly on Google Play by Speakap. 

Purpose

The steps below will help you verify the authenticity of any builds / app files that we send to you, in order to make sure they are not compromised, and to improve security.

Introduction

In order to improve security and guarantee the authenticity of the Android app that you receive from us and distribute to your users, it’s a good idea to check its signature systematically. We'd like to provide you with the means for verifying every single app file that you get from us.

When distributing through the PlayStore we can guarantee the app file that users get is exactly the one that we have built.

However, when we don't handle the distribution end-to-end, we can't guarantee authenticity end-to-end. It’s technically possible that someone alters the app file (APK/AAB) before it reaches you, or before it's distributed to users.

In order to avoid this, you can verify the signature of the app file by using a simple command-line tool. You might have better ways of doing it automatically, and we encourage you to use the best solution you have.

We sign all our builds with one of our certificates. We are the sole owners of these certificates. If the signature of an app matches one of ours, that's a guarantee for its integrity and authenticity. It means that the app has been created by us, and no modifications have been made after. 

We freely share our public signatures / fingerprints, so you can compare them to the signature of an app.

Steps

Contact Speakap Support to obtain the public signature.
Please include the following information:

  • Organization Name
  • App Name
  • Description noting that you would like to verify your Android app's authenticity 

 

  • Get the command line tool from Google (apksigner or keytool - see below)
  • Run the command, depending on the file: 
    • APK file: "apksigner verify --print-certs your-app.apk"
    • AAB file: “keytool -printcert -jarfile your-app.aab
  • Compare the values to the ones that we shared with you.

 

 

How to get apksigner and keytool

You can check the signature of any given APK or AAB file (and compare it to ours) in the following way: They are part of the Android SDK and the JRE. Locations on Mac:

  • /Users/user/Library/Android/sdk/build-tools/xx.x.x/apksigner
  • /Applications/Android\ Studio.app/Contents/jbr/Contents/Home/bin/keytool 
  • /Users/user/Library/Java/JavaVirtualMachines/jbr-xx.x.xx/Contents/Home/bin/keytool

 

Documentation:

apksigner: ​​https://developer.android.com/tools/apksigner  Note: Just like with any command-line tool, you will need to either add the apksigner to your PATH, or use the full folder path of apksigner when executing the command.keytool
      reference:
https://docs.oracle.com/javase/8/docs/technotes/tools/unix/keytool.html
     

 

 

Was this article helpful?
1 out of 1 found this helpful