Let's compare hashes for apps not in AppVerifier's database!

Dumdum

DeletedUser222
Downloaded from github

ua.acclorite.book_story
A6:61:A0:C8:1F:13:8E:53:DF:F3:2F:8F:DC:1D:D1:9F:81:30:52:39:14:02:7E:2C:02:96:FE:24:51:31:A7:D4

DeletedUser222

Dumdum
Thanks...

ignoramous

rdns dev here

IcyScroll Got it from Github a few months back. Didn't verify it in any way, though.

What are these hashes? Of the public app signing (RSA) key? If so, I can generate and advertise one on our website/github readme.

IcyScroll

ignoramous hi there!

ignoramous the public app signing (RSA) key?

Yes, I believe it's SHA-256 of it. You should be able to get it with this simple command:
apksigner verify --print-certs [name].apk
https://github.com/soupslurpr/AppVerifier

ignoramous I can generate and advertise one on our website/github readme.

It would be very helpful, thank you :)

dhhdjbd

org.torproject.torbrowser
20:06:1F:04:5E:73:7C:67:37:5C:17:79:4C:FE:DB:43:6A:03:CE:C6:BA:CB:7C:B9:F9:66:42:20:5C:A2:CE:C8

Can anyone confirm this please?

Dumdum

dhhdjbd
Matches for me.

dhhdjbd

Dumdum thank you

Other Apps if someone needs them later:

com.standardnotes
58:3F:C4:1B:49:0C:38:0B:56:FB:E9:EE:47:38:1E:B4:EF:53:E0:37:19:A5:50:3F:C1:F2:9D:CD:8E:28:90:2A

com.cakewallet.cake_wallet
C5:40:53:AB:0F:10:D9:54:17:62:A3:DA:76:65:AE:3D:BA:5E:7C:74:3A:B4:F1:08:A5:34:9D:62:AC:10:6E:F5

digital.ventral.ips
03:24:3D:0C:0D:44:B6:E0:B4:1E:3C:B2:45:B1:DC:26:9B:E4:C3:FF:E1:77:F8:43:FC:00:5B:C4:EA:0C:74:26

com.revolut.revolut
9C:9B:E0:71:35:E9:72:78:02:82:C2:E5:D2:7D:A0:6E:CB:8E:E3:AD:FC:75:30:39:17:DD:F6:6D:6F:AA:EF:A4

In Database:

de.tutao.tutanota
B4:54:C1:76:F9:0A:1E:A0:57:29:87:D3:82:72:3B:5C:D7:4F:94:2A:79:37:A2:A0:B9:9A:36:80:69:14:88:50

dev.imranr.obtainium
B3:53:60:1F:6A:1D:5F:D6:60:3A:E2:F5:0B:E8:0C:F3:01:36:7B:86:B6:AB:8B:1F:66:24:3D:A9:6C:D5:73:62

net.mullvad.mullvadvpn
7B:E2:19:30:C3:B4:D7:39:06:B0:89:30:45:0A:1D:3A:FB:D2:2C:98:D9:D8:E9:87:DF:8C:1F:BC:2D:0C:90:BB

com.x8bit.bitwarden
24:E0:6C:04:C2:08:04:8F:19:F1:C9:93:B4:DD:A4:43:0E:A8:B0:6D:B8:37:5E:A0:E3:7B:83:46:96:B9:AC:3A

DeletedUser495

@soupslurpr Is there any ongoing work on updating AppVerifier's database?

soupslurpr

DeletedUser495 it's being maintained, but I don't plan on adding any new apps to it.

BaronAfanas

soupslurpr Why, if I might ask? Wouldn't that make the app even more awesome?

soupslurpr

BaronAfanas well, it's just too time-consuming to add new apps and maintain them

pimp

@soupslurpr Thanks for your work!

Have you maybe considered splitting the database into a separate repository, then work with the community to maintain the database? So f.e. assign some team-members/reviewers you trust and let them maintain the db? Maybe maintenance could also be automated for some apps (given a trustworthy source for the apk)?

The (need for the) existence of this topic seems just a bit meh, would be cool if we could somehow move forward.

soupslurpr

pimp that could maybe work but I really don't want to spend time on it instead of other stuff (e.g. network location) since it is a solved problem already. Apps need to be on secure app stores.

schweizer

soupslurpr I really don't want to spend time on it instead of other stuff since it is a solved problem already

No that problem is not solved in any way. You cannot download apps from Playstore anonymously. You cannot redeem gift cards if you use GOS. Since Play Services and PlayStore are both operated by the same company they link your daily activity with your payment data. This is inacceptable to me and many others.

schweizer

de0u That sounds like something to take up with the app developers

That contradicts soupslurpr that apps belong in a secure app store.

Let us be a little bit realistic. There are 3.5 million app developers on play store. That would be a lot of takeup.

Appverifier could also be used outside GOS which would make it's impact much bigger.

DeletedUser237

schweizer You cannot download apps from Playstore anonymously. You cannot redeem gift cards if you use GOS. Since Play Services and PlayStore are both operated by the same company they link your daily activity with your payment data. This is inacceptable to me and many others.

But this is not what the AppVerifier is trying to solve.. And I do agree with the dev, time spent on network location project is much better spend imho.

de0u

schweizer You cannot download apps from Playstore anonymously. You cannot redeem gift cards if you use GOS. Since Play Services and PlayStore are both operated by the same company they link your daily activity with your payment data. This is inacceptable to me and many others.

That sounds like something to take up with the app developers, who could make their apps available via avenues other than Google Play. That would probably require more effort for the app developers, so they might charge more money per user...

de0u

schweizer I don't see what I wrote that rejects a claim made by @soupslurpr ... nor do I understand why me potentially having a different opinion than @soupslurpr would be invalid... nor do I understand the basis for accusing me of being "unrealistic".

That said, I will do my best to reflect on and appreciate the attempt to improve my level of realism.

schweizer

de0u I by no mans want to infringe you as a person. I jist point out that there are two approaches to deliver apps to users:

decentralised approach, every app developer puts his .apk file on a server. The task of quality assurance is completely delegated to the user. Every app developer that wants money must provide it's own payment process.
centralised approach such as PlayStore where a trusted agency is responsible for deferring malicious apps. The secure store provides a payment process.

The two approaches are incompatible. I am fine with either as long as the centralised agent does not continue to spy on users after the apps are sold.

And I wanted to point out this discussion is not solved. The majority of appdevelopers are not willing to provide apks and payment processes. And Google as the central intermediary is not willing to provide privacy.

de0u

schweizer In the EU there are three approaches for Apple devices, with the third one being "federated app stores"? And actually it's possible, some of the time for some apps, for end users to build them from source, so perhaps arguably a fourth option?

schweizer The two approaches are incompatible.

On a single Android device it is completely possible to have apps obtained via a mixture of the approaches.

schweizer I wanted to point out this discussion is not solved.

I suspect the author of AppVerifier was indicating that the problem the author designed AppVerifier to solve has been solved. In particular, there is a chain of trust from a GrapheneOS installation, through the App Store app and the Accrescent app, to an app that runs on devices and can be used to read and compare app author signatures.

schweizer The majority of appdevelopers are not willing to provide apks and payment processes. And Google as the central intermediary is not willing to provide privacy.

It's indeed a problem, and various people are trying various things. The EU has their ideas; the Accrescent author has an idea; from time to time lobbying the developer of some specific app has results.

Meanwhile, the laws in many jurisdictions place limits on privacy when money changes hands.

« Previous Page Next Page »