No reliable method of apk verification available

[sifr01]

Here are three methods of apk download verification that would mitigate against MiTM attacks. It would be great if pia-foss/android could adopt at least one method for users to be able to verify their downloads:

1. SHA256 fingerprint - signal messenger provide this verification method, here are the instructions on how to carry out the verification
2. PGP signature with publication of public key - f-droid.org adopt this method of verification as do almost all major FOSS communities
3. SHA checksum - this doesnt really offer protection from MiTM attacks but does provide basic verification against file corruption on download. It seems like all other PIA ports of the app provide this method except pia-foss/android.

As this is an obvious security vulnerability in the use of PIA's VPN app, please could this be resolved with priority?

[kp-juan-docal]

hello @sifr01 it looks like with the design change we've mistakenly dropped the sha256 fingeprint section we had along with our web APK. I've created a ticket in our backlog to look into it.