How to get the hash of an installed app?

02673853

Some app developers publish SHA256 hashes of their apk's and even if they doesn't, users could at least compare hashes with each other.
But how to get the hash of an app?

The only way I know at the moment is this, which works only with apps installed through Fdroid:

Open the page of an installed app
Click the hamburger/3-dot-menu
Click "Share APK file"
Hash the .apk file, you can do this on Android with for example ImageToolbox which has a file hashing feature

The problem with this method is that it has many steps and only works with apps installed through Fdroid.
Do anyone knows a better way to do this?

Murcielago

02673853

You can install AppVerifier (also available on Accrescent).

It allows you to verify downloaded APK files (it also works nicely with Obtainium). You can also tap on "App list" inside AppVerifier and you get exactly that: a list of installed apps and - among other informations- their hashes.

There is a discussion regarding hashes you also may find helpful:
https://discuss.grapheneos.org/d/15368-lets-compare-hashes-for-apps-not-in-appverifiers-database

NoahRaketic

02673853 What you are looking for is not a way to hash the entire .apk file, but Appverifier. When a developer publishes a sha256 hash of their app, that is almost always a hash of the certificate (which does not change between regular updates), not the entire APK.

Onlyfun

02673853 app manager, signatures page

Eumenia

Murcielago You can install AppVerifier (also available on Accrescent).

App Verifier doesn't show the hash of the installed binary but the hash of the signing certificate.

horde

this does what you want https://f-droid.org/en/packages/com.codedead.deadhash/ ?

02673853

horde this does what you want https://f-droid.org/en/packages/com.codedead.deadhash/ ?

The app you have linked is a tool to hash files.
But to hash the .apk file of an installed app, you first need to obtain the .apk file.
The problem is that as far as I know this only works with apps installed via F-Droid, since the F-Droid client provides a feature that let you export apps as an .apk

horde

02673853 You can find websites that mirror apks from Playstore if thats what you want. But that's not as reliable as you getting the apk from playstore by other means as if everyone checked the apk from that mirror website without check the one from playstore they could be all affected

02673853

horde 02673853 You can find websites that mirror apks from Playstore if thats what you want. But that's not as reliable as you getting the apk from playstore by other means as if everyone checked the apk from that mirror website without check the one from playstore they could be all affected

If I get an apk from a website I could hash the apk, but as soon as it updates, I again have the problem that I can't get the apk out of the installed app to hash it.

EverettHitch You can view APK checksums and signatures of each installed app in App info > Scanner using https://github.com/MuntashirAkon/AppManager

Thanks for linking this.
If I read the app description correctly, most of the features, including extracting .apk's doesn't need ADB/Root, which is great.

EverettHitch

You can view APK checksums and signatures of each installed app in App info > Scanner using https://github.com/MuntashirAkon/AppManager

02673853

NoahRaketic hat you are looking for is not a way to hash the entire .apk file

But this is what I am looking for.

NoahRaketic but Appverifier. When a developer publishes a sha256 hash of their app, that is almost always a hash of the certificate (which does not change between regular updates), not the entire APK.

This doesn't allow me to check if the software that is running on my system is the same as the software running someones else's system or the same as produced by a trusted build server.
The private key could be secretly compromised or the dev could become rogue.
If I hash the apk then there is no additonal layer of assumption like with a signing certificate

Novaliss

02673853 that won't work at all, since the file sizes may differ.

NoahRaketic

02673853 If the developer or their signing key is compromised, then there is absolutely nothing you can do to protect yourself besides reducing trust in the app altogether (reducing permissions, not entering sensitive information). It would be trivial for an attacker to simply release one build of an app to everyone which behaves differently when it detects a specific identifier.

02673853

Novaliss 02673853 that won't work at all, since the file sizes may differ.

What do you mean?

Novaliss

02673853 The hash of the signing certificate will stay consistent through updates of the app, hash of the whole file will not. Also, the same app isn't always packaged to the identical file sizes in all cases, even though the app can still be exactly the same.

02673853

Novaliss 02673853 The hash of the signing certificate will stay consistent through updates of the app, hash of the whole file will not. Also, the same app isn't always packaged to the identical file sizes in all cases, even though the app can still be exactly the same.

Of course different version of one app have different hashes, thats the point.
A hash proofs that you have exactly the same binary.

NoahRaketic 02673853 If the developer or their signing key is compromised, then there is absolutely nothing you can do to protect yourself besides reducing trust in the app altogether (reducing permissions, not entering sensitive information). It would be trivial for an attacker to simply release one build of an app to everyone which behaves differently when it detects a specific identifier.

I only trust software that is reproducible from source.