0

I know how to check signatures of apk files, but cannot figure out how to check the trustworthyness of app bundles (apkm). Does anyone have a hint for me?

When e.g. checking the signature of a google camera bundle from apkmirror, it shows that the bundle is signed by apkmirror and not - as expected - by google.

I figured out that I can simply extract the apk files in the bundle and verify their signature (then I get a google signature, as intended). This does not work for all apks though: The "base.apk" does not have a signature. Is there a reason for this? Is the signature for the base.apk maybe included in the other signatures somehow?

Edit: After reading Pierres answer I figured out that the base.apk indeed is also signed. The problem in my case was that the apksigner version in ubuntu 18.04 is outdated and does not support the used signature format.

T-Dawg
  • 83
  • 6

1 Answers1

0

All APKs should have a signature, including the base. Make sure you use apksigner and not jarsigner.

There is no way to check who it was signed by. The certificate has some information but it can easily be spoofed so it's not reliable.

You have to trust the source you're downloading the APKs from basically and the best way is usually to ask the developers where they publish their app and download it from there. For Google apps, that's the Play Store.

If you know the certificate the app should be signed with, you can also compare the certificate from the signature with the one you expect.

Pierre
  • 15,865
  • 4
  • 36
  • 50