search

ImranR98 / Obtainium

Get Android app updates straight from the source.
https://obtainium.imranr.dev
GNU General Public License v3.0
7.89k stars 174 forks source link

Verify that Google Play sourced APKs obtained from 3rd party sources are signed by Google #651

Open flawedworld opened 1 year ago

ImranR98 commented 1 year ago

Aren't the apps on the Play store signed by the developers' own keys, not Google's?

flawedworld commented 1 year ago

Google Play adds metadata into the APK Signing Block to show that an APK came from Google Play. See: https://android-developers.googleblog.com/2017/12/improving-app-security-and-performance.html Assuming that this is still the case, you should be able to use this to determine that an APK came from Google Play.

1xFF commented 1 year ago

This seems to be an example of doing it in go https://github.com/avast/apkverifier/blob/master/signingblock/frosting.go

dreamcat4 commented 10 months ago

APKMirror is run by the AndroidPolice news website, so I think it is. APKPure and Aptoide I'm not sure about, but they seem okay. Uptodown seems like the sketchiest of the four

having just independantly researched these organisations, i would the new uptodown to 2nd place and above aptoide. Being entirely based in EU and subject to EU jurisdiction, plus their other process , features and you can even see a page with all of their staff members, named and photographed. So long as this stays true (for the time being, while their organisation is still 100% EU based company in this ways)...

And here you can read up about the integrity of this organisation, over on the official wikipedia page (translated from spanish). And it gives relevant references, and also about the EU "Digital Markets Law". So in effect this is EU's answer to holding google to account:

https://es-m-wikipedia-org.translate.goog/wiki/Uptodown?_x_tr_sl=es&_x_tr_tl=en&_x_tr_hl=en&_x_tr_pto=sc

OK so on to the signatures checking matters:

Over on uptodaown each app gets signatures. It would be nice to compare these to google play store signatures, scraped directly from google play store. However this is not applicable for all of the apps on uptodown. It's only relevant for those uptodown hosted apps which were originally sourced from the official google play (and not other sources). And so it is 1st necessary to check on the uptodown app page the meta data, to discover this (and that the publisher itself is officially uptodown themselves, rather than some random developers...)

To then know to fetch from google play an official signiatures to check against.

Now i think i trust uptodown as an organisation, that the app is the same. However what I don't trust is at any random future times, that the uptodown store might get hacked (by unknown hackers). Who then messes about replacing the apps. So this is the real quest here, for the independant signatures verification.

And of course no need to bother for any random 3rd party apps on uptodown. For which there is no point to check the signatures.

Now uptodown might resist, or try to keep on changing their website / APIs. But i hope not. And i hope that they can cooperate with your app here. To make it less work for you. Because there isn't any better alternatives out there ATM...