Is AppVerifier necessary when using Obtainium?

Clark

I understand the purpose of the verifier, but is it necessary when I get my apps straight from Fdroid or Github? Is it a security threat to not use the AppVerifier?

Clark

Bump

Exhort14

Necessary? No. Security threat? No.

But I still use it on first install.

I think of it this way... Every night before I go to bed, I check that my doors are locked. Does this stop someone from breaking in through the door or window? No. But it's better than leaving the door unlocked.

Clark

Exhort14 thank you for answering. How do I verify apps with AppVerifier when it tells me "internal database status: not found" and "verification status: unknown"?

Murcielago

Clark

Hopefully you will find this answer helpful:

https://discuss.grapheneos.org/d/14701-how-to-verify-apps-with-appverifier-that-are-not-in-the-internal-database/3

Clark

Murcielago how do I get the SHA256 number?

Murcielago

Clark

Did you read the whole discussion i linked to? See e.g. @soupslurpr answer:

you may find it on the developers website, social media, app's website. Make sure not to get it from the same place you got the app from since if the app can be replaced the posted hash probably can too. In general you should try to use app stores which verify their apps. Accrescent has Aves and is installable through the GrapheneOS App Store.

source: https://discuss.grapheneos.org/d/14701-how-to-verify-apps-with-appverifier-that-are-not-in-the-internal-database/8

Clark

Murcielago I did read it, but I guess I'm still confused on where exactly to look for the number. Like a certain place on Github or something. But I'll have a look around.

Exhort14

I've not always found them easy to find, but since app verifier tells you what the SHA is for the app you installed, you can search it on github or your search engine of choice to see if you can match it that way.

For example, a month or so back, Signal added a new SHA, so app verifier made it look like I had a fake app. Since I installed Signal from the play store, I was surprised. Turns out that app verifier hadn't yet added the new SHA, but I was able to find it by searching. As the linked article suggests, some devs post it along with the apk in the assets portion of github.